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This  report  presents  a  state-of-the-art  assessment  of  the  influences  of  human  error  on  the  design, 
construction,  and  reliability  of  marine  structures.  The  objective  of  this  study  was  to  establish 
guidelines  to  consider  the  effects  of  human  errors  in  design  and  construction  of  marine  structures 
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This  study  is  part  of  a  five-year  SSC  research  program  to  apply  reliability  technology  and  develop 
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variety  of  sources  of  uncertainty  and  ship  design  considerations  that  influence  probability  based 
design  guidelines  for  ships.  Human  and  Organization  Errors  (HOE)  have  not  been  explicitly 
addressed  even  though  HOE  is  the  major  contributor  to  lack  of  structural  reliability. 

This  study  has  categorized  human  factors,  considered  relevant  case  studies,  identified  qualitative 
and  quantitative  processes  for  evaluating  the  incidence  and  effects  of  human  error,  studied  the 
impacts  of  human  error  on  design  guidelines,  and  evaluated  how  marine  critical  structural 
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INTRODUCTION 


Objective 


The  objective  of  this  study  was  to  perform  a  state-of-the-art  assessment  of 
the  influences  of  human  error  on  the  reliability  of  marine  structures. 

This  objective  was  intended  to  establish  guidelines  to  consider  the  effects 
of  human  errors  in  design  and  construction  of  marine  structures  and  the  for¬ 
mulation  of  structural  design  criteria. 

This  project  is  part  of  a  five-year  Ship  Structure  Committee  (SSC)1 
research  program  to  apply  reliability  technology  and  develop  probability-based 
design  criteria  for  ship  structures.  Thus  far,  this  research  has  addressed  a 
variety  of  sources  of  uncertainty  and  ship  design  considerations  that  influence 
probability  based  design  guidelines  for  ships.  However,  Human  and 
Organization  Error  (HOE)  has  not  been  explicitly  addressed  even  though  it  is 
the  major  contributor  to  lack  of  reliability  in  marine  structures. 


Scope 


This  project  classified  and  defined  HOE  in  design  and  construction, 
summarized  relevant  case  studies,  identified  qualitative  and  quantitative  pro¬ 
cesses  for  evaluating  the  incidence  and  effects  of  HOE,  studied  the  impacts  of 
HOE  on  design  guidelines,  and  evaluated  alternatives  for  the  management  of 
HOE  in  the  design  and  construction  of  ships. 

The  focus  of  this  project  was  on  design  and  construction  of  commercial 
ships  with  particular  attention  given  to  oil,  chemical,  and  bulk  carriers. 

This  project  addressed  the  following  key  questions: 

•  What  is  HOE? 

•  Can  HOE  be  defined  and  classified? 

•  Can  HOE  be  quantified? 

•  Should  HOE  be  reflected  in  design  codes  and  criteria? 


•'Acronyms  are  listed  and  defined  in  Appendix  B 
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During  this  study,  a  review  was  made  of  recent  developments  in  consid¬ 
eration  of  HOE  in  design  and  the  formulation  of  structural  design  criteria. 

This  study  included  HOE  considerations  in  design  of  engineered  structures 
such  as  airframes,  space  vehicles,  nuclear  power  plants,  buildings,  ships,  and 
offshore  platforms.  Recent  studies  addressing  HOE  in  medicine  and  in  devel¬ 
opment  of  computer  software  were  also  reviewed. 

As  a  result  of  this  project  and  allied  research  on  HOE  in  design,  con¬ 
struction,  and  operations  of  marine  systems  [Bea,  1989;  Bea,  Moore,  1992;  Bea, 
Moore,  1994]2,  a  practical  design  and  construction  oriented  HOE  classification 
and  characterization  system  has  been  developed. 

Available  background  on  the  effectiveness  of  different  means  of  quality 
assurance  and  control  (QA  /  QC)in  design  have  been  summarized.  Several 
such  studies  have  been  conducted  for  the  design  of  conventional  building  struc¬ 
tures. 


Guidelines  have  been  developed  on  how  HOE  considerations  might  best 
be  integrated  into  development  of  reliability-based  design  criteria  for  marine 
structures.  These  guidelines  address  how  the  incidence  of  HOE  can  be  re¬ 
duced  by  design  and  how  this  engineering  can  influence  the  incidence  of  HOE 
in  the  construction  and  operations  phases  of  the  life-cycle  of  the  marine  struc¬ 
ture. 


In  addition,  these  guidelines  address  how  the  structures  themselves  can 
be  improved  to  reduce  the  effects  and  consequences  of  HOE.  It  is  anticipated 
that  the  primary  improvements  will  be  in  the  regimes  of  design  for  robustness 
and  design  for  Inspections,  Maintenance,  and  Repair  (IMR). 


Approach 


The  scope  of  work  in  this  project  was  accomplished  by: 

1)  Performing  a  literature  review,  critique,  and  summary. 

2)  Developing  a  structure  design  oriented  classification  of  HOE. 

3)  Evaluating  the  effectiveness  of  alternative  structure  design  Quality 
Assurance  (QA)  and  Quality  Control  (QC)  measures. 

4)  Developing  and  illustrating  the  quantification  and  analyses  of  HOE. 

5)  Developing  guidelines  for  consideration  of  HOE  in  structure  design 
and  criteria. 


^References  are  listed  in  Appendix  A 
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Chapter  1 


Introduction 


Summary _ _ _ 

The  following  summarizes  the  answers  to  the  key  questions  posed  at  the 
beginning  of  this  project. 

•What  is  HOE? 

Human  error  is  a  departure  from  acceptable  or  desirable  practice  on  the 
part  of  an  individual  that  can  result  in  unacceptable  or  undesirable  results. 
Human  error  refers  to  a  basic  event  involving  a  lack  of  action  or  an  inappro¬ 
priate  action  taken  by  individuals  that  can  lead  to  unanticipated  and  undesir¬ 
able  quality. 

Organization  error  is  a  departure  from  acceptable  or  desirable  practice 
on  the  part  of  a  group  of  individuals  that  can  result  in  unacceptable  or  undesir¬ 
able  quality.  Organization  errors  have  a  pervasive  influence  on  human  errors. 

Quality  in  a  ship  structure  has  four  inter-related  key  attributes : 
serviceability  (ability  to  perform  intended  functions),  safety  (freedom  from 
harm),  durability  (freedom  from  unanticipated  maintenance),  and 
compatibility  (meets  schedule,  cost,  and  environmental  requirements). 

Human  errors  develop  from  a 
complex  variety  of  influences  (Figure 
1.1).  Individuals  acting  alone  or  in 
teams  can  make  errors.  They  can  be 
influenced  or  induced  to  make  errors 
by  organizations,  procedures 
(software,  instructions),  systems 
(physical  components),  and  environ¬ 
ments  (external,  internal).  There  are 
error  producing  potentials  not  only 
within  each  of  these  components,  but 
as  well  at  their  interfaces.  For  exam¬ 
ple,  an  individual  can  misunderstand 
the  goals  and  objectives  of  the  organi- 

zation  or  misinterpret  the  instructions  Figure  1.1  -  Components  and  inter¬ 
incorporated  into  procedures.  faces  that  can  lead  to  human  errors 


•  Can  HOE  be  defined  and  classified  ? 

Yes,  human  errors  can  be  defined  and  classified  in  a  variety  of  ways 
(e.g.  action  class,  mode,  mechanism,  effect).  The  classification  and  definition 
needs  to  be  appropriate  for  a  particular  descriptive  or  analytical  purpose. 

In  one  scheme  HOE  can  be  organized  into  two  categories:  1)  those  that 
develop  from  "states,"  and  2)  those  that  develop  from  "actions."  States  are 
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those  influences  that  induce  individuals,  teams,  and  organizations  to  make 
errors.  Incentives,  environment,  and  information  are  some  of  the  primary 
factors  that  influence  state  determined  errors.  Lapses  or  slips,  mistakes,  and 
unsafe  acts  are  the  primary  factors  that  influence  actions  determined  errors. 
A  slip  or  error  of  omission  is  a  human  error  in  which  what  is  performed  was 
not  intended.  A  mistake  is  a  human  error  where  the  intention  was  erroneous 
and  was  purposefully  executed.  Unsafe  acts  are  unreasonable  or  unlawful  ac¬ 
tions  (violations).  States  can  lead  to  human  error  in  actions,  and  actions  can 
lead  to  undesirable  states. 


Figure  1.2  summarizes  the  classifi¬ 
cation  of  human  (individual)  errors  devel¬ 
oped  during  this  project  to  describe  and 
evaluate  the  effects  of  such  errors  on  the  de¬ 
sign  and  construction  of  ship  structures. 

Human  errors  can  develop  as  a  re¬ 
sult  of  influences  from  groups  of  individu¬ 
als  -  organizations.  Figure  1.3  summarizes 
the  classification  of  organization  errors  de¬ 
veloped  during  this  project  to  describe  and 
evaluate  the  effects  of  such  errors  on  the  de¬ 
sign  and  construction  of  ship  structures. 


Figure  1.2  -  Human  errors 


•  Can  HOE  be  quantified  ? 

Yes,  if  and  as  desirable,  HOE  can  be 
quantified.  There  are  two  complimentary 
approaches  to  the  quantification  of  HOE  in 
design  and  construction  operations.  The 
first  is  based  on  the  use  of  objective  data  that 
has  been  gathered  on  the  incidence  of  HOE 
in  design  and  construction  activities. 

The  second  is  based  on  the  use  of  ex¬ 
pert  judgment.  Objective  data  can  be  devel¬ 
oped  by  the  direct  gathering  of  data  on  the 
job  of  interest,  information  from  similar 
jobs,  real-time  simulations  or  experiments 
with  the  actual  tasks.  Subjective  data  can 
be  derived  from  extrapolations  of  objective 
data  and  the  scaling  of  expert  judgment. 


Figure  1.3  -  Organization  errors 


This  study  has  not  identified  any  well  organized,  long-term  effort  in 
which  a  substantial  body  of  objective  data  has  been  developed  on  HOE  in  design 
and  construction  activities.  Some  information  is  available  for  some  types  of  ac¬ 
tivities  (Figure  1.4). 
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new  or  rarely  performed  task 
extreme  stress,  very  little  time 
severe  distractions  &lmparements 

highly  complex  task 

considerable  stress,  little  time 

„  ,  ift-2 

moderate  distractions  &  Imparements 

complex  or  unfamililar  task 

moderate  stress,  moderate  time 

in-3 

little  distractions  &  Imparements 

difficult  but  familiar  task 

little  stress,  sufficient  time 

10"4 

very  little  distractions  or  imparements 

simple,  frequently,  skilled  task 
no  stress,  no  time  limits 

—  1a5 

no  distractions  or  imparements 

Figure  1.4  -  General  task  human  error 
probabilities 


The  tests  that  have  been  per¬ 
formed  indicate  that  human  per¬ 
formance  reliability  is  influenced 
dramatically  by  the  "pressure"  of 
performance  (Figure  1.5). 

Pressure  results  from  the 
combination  of  psychological 
stress,  task  unfamiliarity  and 
complexity,  intensity  of  dis¬ 
tractions,  limited  time,  and  cogni¬ 
tive  impairments.  Training,  per¬ 
sonnel  selection,  and  task  com¬ 
plexity  reduction,  and  provision  of 
sufficient  time  to  perform  tasks 
can  have  important  effects  on  per¬ 
formance  reliability. 

The  quantitative  information 
that  is  available  is  extremely  valu¬ 
able  in  that  it  provides  a  place  to 
start  the  processes  of  quantifica¬ 
tion.  However,  primary  reliance 
in  making  quantification  of  HOE  in 
design  and  construction  must  be 
placed  on  the  use  of  expert 
judgment. 

The  fundamental  purpose  of 
quantitative  evaluations  based  on 
results  from  analytical  models  is 
not  prediction.  The  fundamental 
purpose  is  to  provide  a  disciplined 
framework  with  which  one  can 
describe  and  analyze  "systems". 

The  objective  of  these  analyses  is  to 
make  assessments  of  the  potential 

benefits  and  costs  associated  with  alternative  measures  that  can  improve  the 
quality  of  ship  structures.  The  objective  of  these  analyses  is  to  provide  insights 
on  how  best  to  improve  the  quality  of  ship  structures  and  to  optimize  the  use  of 
the  resources  that  can  be  made  available  to  improve  quality. 


Figure  1.5  -  Effects  of  pressure  on  human 
performance 


The  desire  or  requirement  for  quantitative  evaluations  and  analytical 
models  should  not  be  allowed  to  become  an  impediment  to  improving  the 
quality  of  ship  structures.  The  focus  of  the  efforts  should  be  to  empower  those 
that  have  responsibilities  for  achieving  quality.  Engineers  generally  have  a 
powerful  ability  to  develop  quantitative  analytical  models.  However,  they 
generally  also  have  a  weakness  in  mistaking  results  from  these  models  for 
reality. 
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•  Should  HOE  be  reflected  in  design  codes  and  criteria 

Yes,  HOE  should  be  reflected  in  ship  structure  design  codes  and  criteria 
in  two  primary  ways.  First,  in  the  form  of  explicit  and  defined  Quality 
Assurance  and  Quality  Control  (QA  /  QC)  measures  (Figure  1.6).  Second,  in 
the  form  of  explicit  and  defined  measures  to  make  the  ship  structure  less  likely 
to  promote  errors  during  its  design,  construction,  and  operation,  and  to  make 
the  ship  structure  more  tolerant  of  the  human  errors  and  accidents  that  can 
occur  during  the  life  of  the  ship. 

There  are  three  primary  strategies 
to  incorporate  HOE  considerations  in  de¬ 
sign  codes  and  criteria: 


1)  fault  avoidance  (prevention)  - 
measures  intended  to  lower  the  dif¬ 
ficulty  of  tasks  to  be  performed  by 
humans  and  to  increase  their  abili¬ 
ties  to  perform  the  tasks. 


2)  fault  detection  and  removal  - 
provisions  for  checking,  inspect¬ 
ing,  independent  verifications,  and 
providing  measures  for  correction 
of  faults  and  flaws  when  they  are 
found. 


3)  fault  tolerance  -  design  for  defect 
and  damage  tolerance  (robustness 
in  the  structure  system). 

This  study  has  not  indicated  that  it 
is  effective  or  efficient  to  attempt  to  defend 
against  HOE  by  employing  larger  loading 
factors  or  smaller  resistance  factors  in 
the  design  process.  It  is  much  more  effective  and  efficient  to  manage  HOE 
problems  at  their  sources,  i.e.,  to  utilize  available  resources  to  reduce  the  inci¬ 
dence  and  effects  of  HOE. 

Prevention  of  HOE  is  a  primary  strategy  that  should  be  reflected  in  de¬ 
sign  codes  and  criteria.  This  is  the  essence  of  Quality  Assurance.  Such  pre¬ 
vention  addresses  the  accountability  and  responsibilities  of  quality  in  the  de¬ 
sign  and  construction  of  commercial  ship  structures.  These  responsibilities 
are  suggested  in  this  report. 

Prevention  also  addresses  the  qualifications  and  training  of  those  that 
design  and  construct  ship  structures,  the  formation  of  quality  oriented  design 
and  construction  teams,  the  elimination  of  unnecessary  complexity  in  design 


Figure  1.6  -  QA  /  QC  life-cycle  activ¬ 
ities 
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codes  and  construction  procedures,  and  the  verification  and  validation  of 
guidelines,  procedures,  and  software  used  to  design  ships. 

It  is  important  to  recognize  that  HOE  can  be  reduced.  However,  it  is 
equally  important  to  recognize  that  HOE  can  not  be  eliminated.  Thus,  ship 
structure  systems  should  be  designed  that  will  be  tolerant  of  the  defects  and 
damage  that  can  arise  because  of  "residual"  HOE  in  design,  construction,  and 
operation.  Ship  structure  design  guidelines  that  will  explicitly  consider  and 
address  design  of  error  tolerant  (robust)  structures  is  an  important  area  for 
future  development. 


Report  Contents 


In  the  next  chapter  of  this  report,  the  relationships  of  quality  and  quality 
management  will  be  examined  in  the  contexts  of  TQM  (Total  Quality 
Management),  the  ISO  (International  Standards  Organization)  Quality 
Standards,  and  QA  /  QC  activities.  Engineering  and  construction  activities 
which  can  promote  quality  in  ship  structures  will  be  discussed. 

Chapter  3  develops  the  interfaces  between  quality  and  reliability  of  ship 
structures.  A  life-cycle  reliability  -  quality  formulation  is  proposed  in  which 
serviceability,  safety  (capacity),  durability,  and  compatibility  are  explicitly  ad¬ 
dressed.  Risk  and  risk  management  are  discussed  in  the  context  of  decisions 
that  must  be  made  regarding  investments  to  achieve  quality  in  ship  struc¬ 
tures. 

Chapter  4  discusses  QA  and  QC  and  the  cost  /  competitive  aspects  of 
achieving  adequate  and  acceptable  quality  in  ship  structures.  Cost  -  benefit 
tradeoffs  and  other  approaches  to  define  equitable  balances  between  quality 
and  costs  are  discussed  and  illustrated. 

Human  errors  have  been  studied  formally  for  several  decades  as  they  in¬ 
fluence  the  quality  of  non-marine  structures.  A  substantial  background  has 
been  developed  to  address  human  factors  in  activities  such  as  operations  of  nu¬ 
clear  power  plants  and  the  U.  S.  Navy  nuclear  powered  aircraft  carrier  opera¬ 
tions.  A  substantial  body  of  technology  has  been  developed  that  has  direct  ap¬ 
plications  to  marine  structures.  Chapter  5  reviews  highlights  of  this  back¬ 
ground. 

It  has  been  only  relatively  recently  that  there  has  been  a  general  recogni¬ 
tion  of  the  importance  of  human  factors  in  the  quality  of  marine  structures. 
Historic  causes  of  unsatisfactory  quality  in  marine  structures  are  reviewed  in 
Chapter  6.  Several  recent  examples  of  problems  with  insufficient  quality  in 
marine  structures  are  reviewed. 

Based  on  the  background  developed  in  Chapter  5  and  the  first  part  of 
Chapter  6,  a  classification  of  the  causes  of  human  (individual),  organization, 
system  (hardware),  and  procedures  (software)  errors  is  developed  and  dis- 


7 


Role  of  Human  Error  In  Reliability  of  Marine  Structures 


cussed.  This  classification  becomes  the  basis  for  the  qualitative  and  quantita¬ 
tive  evaluation  processes  that  are  developed  in  Chapter  8  and  illustrated  in 
Chapter  9. 

Chapter  7  defines  and  discusses  general  alternatives  for  the  manage¬ 
ment  of  human  errors  in  the  design  and  construction  of  ship  structures.  Of 
particular  importance  in  this  chapter  are  the  organizational  aspects  that 
should  be  addressed  to  achieve  adequate  quality  in  ship  structures. 

Chapter  8  discusses  three  complimentary  approaches  to  the  evaluations 
of  HOE  in  design  and  construction  of  ship  structures.  Qualitative  ranking  and 
rating  methods  are  discussed  and  illustrated.  Such  methods  have  found  sub¬ 
stantial  applications  in  the  operations  of  offshore  platforms.  Next,  quantitative 
PRA  (Probabilistic  Risk  Analyses)  are  discussed.  Such  methods  have  found 
substantial  applications  in  operations  of  nuclear  power  plants  and  some  appli¬ 
cations  in  the  design,  construction,  and  operation  of  offshore  platforms.  There 
have  been  some  exploratory  developments  in  their  application  to  operations  of 
ships. 


The  third  approach  discussed  in  Chapter  8  is  a  mixed  qualitative  -  quan¬ 
titative  method  that  might  best  be  described  as  a  Safety  Indexing  Method.  This 
approach  has  been  widely  applied  to  a  variety  of  non-marine  structure  and 
equipment  systems.  This  approach  has  been  applied  to  two  marine  structure 
problems:  fires  and  explosions  on  offshore  platforms  and  ship  operations. 
Because  of  its  potential  application  in  future  developments  in  design  and  con¬ 
struction  of  ship  structures,  the  two  marine  Safety  Indexing  Methods  have 
been  summarized  in  Appendix  C. 

Chapter  9  contains  several  applications  of  the  foregoing  developments  to 
evaluation  of  HOE  effects  on  the  design  of  marine  structures.  The  first  sec¬ 
tions  in  Chapter  9  identify  the  principal  activities  and  influences  involved  in 
the  design  and  construction  of  ship  structures.  Next,  based  on  the  general 
ship  design  process  developed,  the  PRA  approach  summarized  in  Chapter  8  is 
developed  formally  as  it  applies  to  the  design  of  ship  structures. 

Chapter  9  contains  summaries  of  three  example  applications.  The  first 
is  an  example  that  addresses  HOE  in  a  Finite  Element  Analysis  (FEA)  of  a  crit¬ 
ical  part  of  an  offshore  platform.  Quantitative  assessment  of  the  effects  of  im¬ 
proving  parts  of  the  design  process  are  illustrated.  A  PRA  application  to  the 
design  of  an  offshore  platform  structure  is  summarized  in  Appendix  D. 

Chapter  9  then  addresses  two  ship  structure  design  examples  that  con¬ 
cern  design  of  a  class  of  single  hull  tankers.  The  first  example  addresses  HOE 
aspects  of  the  fatigue  durability  in  the  Critical  Structural  Details  (CSD).  The 
second  example  addresses  HOE  aspects  concerned  with  the  FEA  of  the  CSD  in 
these  ships.  Both  examples  involve  qualitative  and  quantitative  assessments. 
Both  examples  illustrate  the  evaluation  of  alternatives  intended  to  improve  the 
quality  of  the  design  of  the  CSD. 
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Chapter  10  summarizes  what  has  been  learned  during  this  project  as  it 
applies  to  an  LRFD  guideline  for  ship  structures  being  developed  under  the 
auspices  of  the  SSC  [Mansour,  et  al.,  1993].  Organization,  ship  designer,  and 
written  guideline  aspects  are  addressed.  Specific  suggestions  are  made  re¬ 
garding  what  should  be  done  in  development  of  the  design  guideline  to  address 
HOE  considerations. 

Chapter  11  identifies  key  research  and  development  efforts  that  should 
be  considered  if  this  work  is  to  be  continued.  These  efforts  address  education, 
design,  construction,  and  operations  aspects  of  ship  structures. 

Chapter  12  summarizes  the  principal  developments  from  this  project. 
Conclusions  concerning  how  what  has  been  learned  should  be  applied  to  help 
improve  the  quality  of  ship  structures  are  summarized. 

Appendix  A  contains  a  listing  of  all  references  cited  in  this  report. 
Appendix  B  contains  a  listing  of  the  primary  acronyms  used  in  this  report. 
Appendix  C  contains  a  summary  of  the  two  marine  structure  related  Safety 
Indexing  Methods.  Appendix  D  contains  a  summary  of  the  PRA  application  to 
design  of  an  offshore  platform  structure. 
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QUALITY  &  QUALITY 
MANAGEMENT 


Quality _ 

Quality  is  defined,  in  this  report  as  freedom  from  unanticipated  defects. 
Quality  is  fitness  for  purpose.  Quality  is  meeting  the  requirements  of  those  that 
own,  operate,  design,  construct,  and  regulate  ship  structures.  These  require¬ 
ments  include  those  of  serviceability,  safety,  compatibility,  and  durability 
[Matousek,  1990]  (Figure  2.1). 

Serviceability  is 
suitability  for  the  proposed 
purposes,  i.e.  functionality. 

Serviceability  is  intended  to 
guarantee  the  use  of  the  system 
for  the  agreed  purpose  and 
under  the  agreed  conditions  of 
use. 

Safety  is  the  freedom 
from  excessive  danger  to  Figure  2.1  -  Attributes  that  constitute  quality 

human  life,  the  environment,  in  ship  structures 
and  property  damage.  Safety  is 
the  state  of  being  free  of 
undesirable  and  hazardous 

situations.  The  capacity  of  a  structure  to  withstand  its  loadings  and  other 
hazards  is  directly  related  to  and  most  often  associated  with  safety. 

Compatibility  assures  that  the  system  does  not  have  unnecessary  or  ex¬ 
cessive  negative  impacts  on  the  environment  and  society  during  its  life-cycle. 
Compatibility  is  the  ability  of  the  system  to  meet  economic  and  time  require¬ 
ments. 
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Durability  assures  that  serviceability,  safety,  and  environmental  compat¬ 
ibility  are  maintained  during  the  intended  life  of  the  marine  system.  Durability 
is  freedom  from  unanticipated  maintenance  problems  and  costs. 

Quality  has  been  defined  by  Stena  [1992]  as: 

"An  attitude  and  culture  which  adopts  a  never-ending  journey  of  meeting 
customers'  needs  and  expectations  through  continuous  improvement  by 
fully  trained  and  empowered  employees. " 

Quality  obviously  has  different  meanings  for  different  people.  In  this 
report,  the  term  quality  as  applied  to  design  and  construction  of  ship  structures 
will  be  taken  to  be: 

freedom  from  unanticipated  defects  in  the  serviceability,  safety, 
durability,  and  compatibility  of  the  ship  structure. 


Quality  Management  Systems 


In  recent  years,  a  wide 
variety  of  processes,  procedures, 
and  philosophies  intended  to 
improve  and  achieve  adequate 
quality  in  goods  and  services 
have  been  developed  and 
implemented.  The  ones  that 
will  be  discussed  here  include 
Total  Quality  Management 
(TQM),  Quality  Assurance  (QA), 
Quality  Control  (QC),  and  ISO 
(International  Standards 
Organization)  quality 
standards.  These  components 
can  be  viewed  as  building  blocks 
of  a  Quality  Management 
System  (QMS). 


At  the  outset,  it  is  Figure  2.2  -  Relationships  of  TQM,  QA,  QC, 

important  to  recognize  that  and  ISO  quality  standards 
these  processes,  procedures,  and 
philosophies  are  related  to  the 

same  objective  (Figure  2.2).  They  represent  complimentary  parts  of  activities 
that  are  intended  to  help  achieve  adequate  and  acceptable  quality.  These  are 
the  building  blocks  that  can  help  achieve  quality. 
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Total  Quality  Management 


TQM  has  its  roots  founded  in  an  effort  that  dates  back  to  the  early  1900's. 
Walter  Shewhart,  a  scientist  at  Bell  Laboratories,  proposed  that  successful 
scientists  follow  a  general  pattern  to  improve  knowledge  with  new  ideas.  First, 
they  plan  a  way  to  test  their  ideas  through  experimentation.  Second,  they  do 
their  experiments.  Third  they  check  the  measured  results  against  the  planned 
results.  Fourth,  they  act  on  the  results.  If  their  ideas  are  not  verified,  or  not 
verified  completely,  they  start  over  by  modifying  their  ideas.  But,  if  their  ideas 
are  validated,  these  ideas  become  added  to  the  body  of  scientific  knowledge.  This 
scheme  became  the  plan-do-check-act  process  of  continuous  experimentation. 

In  1924,  W.  E.  Deming  was  a  young  graduate  student  intern  at  Bell 
Laboratories.  He  worked  for  Shewhart  and  documented  the  "Shewhart  Cycle  of 
Continuous  Improvement."  In  the  1950's,  Deming  taught  the  Japanese  how  to 
apply  the  continuous  improvement  cycle  to  all  forms  of  work.  The  philosophy 
proved  so  successful  that  it  found  its  way  back  into  U.  S.  industry  in  the  1980's 
[Deming,  1982]. 

Deming  founded  his  philosophy  of  Total  Quality  Management  (TQM)  on 
the  fourteen  points  summarized  in  Table  2.1 


Table  2.1  -  The  Deming  fourteen  points  of  TQM 


1.  constancy  of  purpose 

2.  adoption  of  new  philosophies 

3.  elimination  of  inspections 

4.  don't  buy  on  price  alone 

5.  quality  improvement  is  never  end¬ 
ing 

6.  institute  on  the  job  training 

7.  substitute  leadership  for  supervi¬ 
sion  and  management 

8.  drive  out  fear  and  create  confidence 


9.  break  down  barriers 

10.  eliminate  slogans  and  targets 

11.  eliminate  management  by  objec¬ 
tives  and  quotas 

12.  remove  barriers  to  pride  and  qual¬ 
ity 

13.  institute  a  program  of  education 
and  self  improvement 

14.  do  it  and  re-do  it  as  a  continuous 
process  of  improvement  in  quality 


Total  Quality  Management  (TQM)  is  a  management  philosophy:  a  way  of 
thinking  and  working  [Adrian,  1992].  It  has  three  main  themes: 

•  Customer  satisfaction, 

•  Participative  management,  and 

•  Ongoing  improvement. 

The  focus  of  TQM  is  on  improving  quality  by  removing  defects  and  solving 
problems  [Oswald,  Burati,  1992].  TQM  focuses  on  envisioning  the  company  as  a 
linkage  of  processes,  a  coherent  system  of  people  and  procedures. 
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TQM  promotes  the  following  key  management  practices  and  activities: 

•  Do  it  right  the  first  time. 

•  Minimize  production  variations  and  risks. 

•  Emphasize  problem  solving  through  participative  management  teams. 

•  Compare  quality  and  performance  results  with  a  predetermined  and 
measurable  standard. 

•  Provide  continual  training  and  education  aimed  at  quality  improvement. 


Quality  Assurance  &  Quality  Control 


Quality  Assurance  and  Quality  Control  can  be  categorized  as  parts  of 
Quality  Management  Systems  (QMS).  QMS  are  systems  of  formal  documented 
practices  used  by  an  organization  or  team  to  measure,  report,  and  control  the 
quality  of  its  goods  and  services  [Puri,  1991].  QMS  establishes  ways  to  meet  the 
stated  and  implied  requirements. 

Quality  Assurance  (QA)  are  those  practices  and  procedures  that  are  de¬ 
signed  to  help  assure  that  an  acceptable  degree  of  quality  is  obtained.  QA  is 
focused  on  prevention  of  errors.  QA  consists  of  system  oriented  planned  actions 
to  achieve  quality,  corrective  processes,  and  prevention  of  problems. 

Quality  Control  (QC)  is  associated  with  the  implementation  and  verification  of 
the  QA  practices  and  procedures.  QC  is  intended  to  assure  that  the  desired  level 
of  quality  is  actually  achieved.  QC  is  focused  on  inspection,  reaction, 
identification  of  errors,  rectification,  rework,  and  correction. 


ISO  Quality  Standards 


The  International  Standards  Organization  (ISO)  9000  series  of  interna¬ 
tional  quality  standards  [ISO,  1994,  1994a]  and  the  related  standards  [British 
Standards  Institution,  1990;  Norwegian  Standards,  1990]  are  sets  of  require¬ 
ments  for  critical  elements  in  documented  business  /  industrial  systems.  These 
standards  touch  on  topics  from  management  review  and  design  control  to  statis¬ 
tical  techniques. 

The  ISO  Standards  have  their  roots  founded  in  a  much  earlier  set  of  stan¬ 
dards  that  were  developed  by  the  U.  S.  Military  during  the  second  World  War. 
The  Military  standards  were  further  developed  and  detailed  in  Europe  during 
the  1970's  and  1980's.  Both  the  British  [British  Standards  Institution,  1990] 
and  the  Norwegians  [Norwegian  Standards,  1990]  developed  comparable  stan¬ 
dards  that  were  intended  to  help  achieve  desirable  degrees  of  quality  in  primar¬ 
ily  manufactured  systems.  Later,  these  standards  were  harmonized  and  inte¬ 
grated  into  a  set  of  harmonized  European  standards.  The  formation  of  the 
European  Economic  Consortium  resulted  in  development  of  the  ISO.  The  ISO 
system  of  quality  standards  were  an  early  result  that  were  published  in  the  late 
1980's. 
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ISO  9000,  "Quality  Management  Table  2.1  -  Components  of  ISO  9000 
and  Quality  Assurance  Standards  - 
Guidelines  for  Selection  and  Use"  is  the 
introduction  to  the  ISO  quality  system 
(ISO,  1994a).  It  explains  fundamental 
quality  concepts;  defines  key  terms; 
and  provides  guidance  on  selecting, 
using,  and  tailoring  the  other 
standards  to  fit  specific  needs.  Table 
2.1  summarizes  the  key  elements  that 
comprise  ISO  9000  [Moore,  Roberts, 

1994]. 

ISO  9001,  "Quality  Systems  - 
Model  for  Quality  Assurance  in  Design 
/  Development,  Production, 

Installation,  and  Servicing,  covers  all  of 
the  elements  found  in  9002  and  9003 
(ISO,  1994b).  It  provides  additional 
details  and  adds  requirements  for 
design  controls  and  after 
commissioning  servicing. 

ISO  9002,  "Quality  Systems  - 
Model  for  Quality  Assurance  in 
production  and  Installation,"  deals 
with  the  prevention,  detection  and  correction  of  problems  during  production  and 
installation.  It  addresses  manufacturing  aspects  such  as  purchased  materials, 
work  in  process,  record  keeping,  training,  and  auditing. 

ISO  9003  "Quality  Systems  -  Model  for  Quality  Assurance  in  Final 
Inspection  and  Test,"  provides  requirements  for  sorting  acceptable  and  non-ac- 
ceptable  products  before  transportation  and  commissioning. 

ISO  9004,  "Quality  Management  and  Quality  System  Elements  - 
Guidelines,"  is  intended  for  organizations  that  are  initiating  their  quality  man¬ 
agement  programs.  The  9004  standard  is  intended  to  help  organizations  develop 
a  better  grasp  of  the  principles  of  quality  management  and  the  needs  of  their  or¬ 
ganizations  and  customers.  The  9004  standard  is  the  foundation  for  the  ISO 
quality  developments.  ISO  9001,  9002,  and/or  9003  are  then  selected  to  estab¬ 
lish  the  particulars  of  a  quality  system.  The  9004  standard  embodies  the  devel¬ 
opment  of  TQM  in  a  given  organization. 

It  should  be  understood  that  the  ISO  guidelines  are  essentially  a  system 
for  QA.  The  ISO  guidelines  do  not  assure  quality.  It  is  the  combination  of  QA, 
QC,  TQM,  and  "beyond  TQM"  that  is  intended  to  assure  quality. 


•  Management  Responsibility 

-  Quality  Policy 

-  Responsibility  and  authority 

-  Verification  resources  and  personnel 

-  Management  representation 

-  Management  review 

•  Quality  system 

•  Contract  review 

•  Document  control 

•  Purchasing 

•  Purchasers  supplied  product 

•  Product  identification  and  tractability 

•  Process  control 

•  Inspection  and  testing 

•  Inspection,  measuring  and  testing 

equipment 

•  Control  of  non-conforming  products 

•  Corrective  action 

•  Handling,  storage,  packaging,  and 

delivery 

•  Quality  records 

•  Internal  quality  audits 

•  Training 

•  Statistical  techniques  &  analyses 
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Beyond  TQM 


The  background  developed  before  and  during  this  project  on  the  manage¬ 
ment  of  Human  and  Organization  Errors  (HOE)  in  the  design,  construction,  and 
operation  of  marine  systems  clearly  indicates  that  there  is  something  beyond 
TQM,  QA,  QC,  and  the  ISO  Standards  that  should  be  added  to  help  advance 
achieving  quality  in  marine  systems.  The  author  has  designated  these  activities 
as  TQE  (Total  Quality  Engineering),  TQC  (Total  Quality  Construction),  and  TQO 
(Total  Quality  Operations). 

Figure  2.3  indicates  that  there  are  two  principal  types  of  "influences"  that 
can  have  profound  effects  on  the  quality  of  a  marine  system  during  its  life  cycle. 
Both  the  environment  (or  environments)  and  humans  are  clearly  involved  in  de¬ 
termining  if  a  system  will  have  adequate  serviceability,  safety,  durability,  and 
compatibility. 

There  are  clearly  controllable  and  uncontrollable  aspects  of  both  of  these 
sets  of  influences.  Quality  managers  are  most  interested  in  the  controllable  as¬ 
pects.  The  uncontrollable  aspects  must  be  relegated  to  residual,  inherent  ele¬ 
ments  that  can  not  be  reasonably  managed  and  must  be  accepted  as  reality.  In 
many  cases,  it  is  difficult,  if  not  impossible  to  fully  identify  or  detail  the  inherent 
or  residual  aspects. 
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Figure  2.3  -  Human  and  environmental  influences  on  the  life 
cycle  quality  of  a  marine  system 


TQM  is  a  management  philosophy  intended  to  achieve  quality.  It  is  di¬ 
rected  at  the  people  and  organizational  elements  (Figure  2.4).  TQM  combines 
excellence  in  planning  (determining  the  future  goals  and  paths  to  those  goals), 
organizing  (to  achieve  the  future  goals),  leading  (to  assure  the  future  goals  are 
reached),  and  controlling  (to  monitor  and  re-direct  as  required  to  reach  the  fu¬ 
ture  goals). 
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ENVIRONMENTAL  INFLUENCES. 


Figure  2.4  -  TQM  and  "down- stream"  Total  Quality  Engineering,  Total 
Quality  Construction,  and  Total  Quality  Operations 


QA,  QC,  and  the  ISO  quality  standards  are  proactive  and  reactive  pro¬ 
cesses  and  activities  that  are  intended  to  help  achieve  quality.  These  are  ele¬ 
ments  of  a  QMS. 

In  the  author's  experience  what  is  lacking  in  these  elements  of  a  QMS  is  a 
proactive  and  reactive,  comprehensive  and  detailed  focus  on  the  "system"  and  its 
"life-cycle  quality".  The  system  includes  "hardware"  (structure,  equipment,  facil¬ 
ities),  "software"  (instructions,  procedures,  processes),  and  the  "people-ware" 
(individuals,  teams,  organizations,  and  societies).  The  life-cycle  includes  design, 
construction,  and  operations  (including  maintenance). 

TQE  is  the  activity  of  analyzing  design,  construction,  and  operations 
(including  maintenance)  systems,  determining  how  best  to  achieve  the  desirable 
levels  of  quality  in  these  systems,  and  then  engineering  systems  (hardware, 
software,  and  people  ware)  to  achieve  the  desirable  levels  of  quality.  TQE  is  not 
the  traditional  process  of  engineering  a  structure,  facility,  or  piece  of  equipment. 
It  is  beyond  this  process.  It  is  both  up-stream  and  down-stream  of  this  tradi¬ 
tional  process.  It  examines  the  guidelines,  context,  and  constraints  associated 
with  a  marine  system  and  provides  information  and  insights  to  help  achieve  a 
desirable  level  of  quality  during  the  life-cycle  of  a  marine  system.  It  goes  beyond 
hardware. 

TQE  should  develop  insights  and  information  on  the  alternatives  associ¬ 
ated  with  different  ways  to  achieve  quality  and  the  costs  and  benefits  associated 
with  different  levels  or  degrees  of  quality.  TQM  should  evaluate  these  alterna¬ 
tives  and  determine  what  levels  of  quality  should  be  developed  during  the  life- 
cycle  phases  of  a  marine  system. 
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TQC  is  the  activity  of  analyzing  construction  systems  for  a  particular  ma¬ 
rine  structure  to  be  built  in  a  particular  facility  at  a  particular  time  with  a  par¬ 
ticular  construction  "infrastructure"  and  then  determining  how  best  to  achieve 
the  desirable  levels  of  quality  in  the  constructed  product. 

TQO  is  the  activity  of  analyzing  the  operations  system  for  a  particular 
marine  structure  to  be  operated  in  a  particular  environment  and  location  at  a 
particular  point  in  time  with  a  particular  operations  "infrastructure"  and  then 
determining  how  best  to  achieve  the  desirable  levels  of  quality  in  the  operated 
marine  system. 

An  example  of  TQO  is  the  International  Safety  Management  (ISM)  Code 
[International  Chamber  of  Shipping,  1993;  International  Maritime  Organization, 

1993] .  This  Code  is  discussed  in  further  detail  in  Chapter  6.  The  objective  of  the 
ISM  Code  is  to  establish  an  international  standard  for  the  safe  management  and 
operation  of  ships.  This  objective  is  accomplished  by  setting  rule  for  the 
organization  of  company  management  in  relation  to  safety  and  pollution 
prevention  and  for  the  implementation  of  a  Safety  Management  System  (SMS). 
The  ISM  Code  is  intended  to  re-orient  the  current  approach  to  regulatory 
compliance  from  the  industry's  passive  defect  notification  and  correction 
response  mode  to  an  aggressive  approach  to  safety.  Under  such  a  proactive 
approach,  potential  discrepancies  are  resolved  by  the  companies  themselves, 
before  they  can  become  significant  safety  or  environmental  problems  [Moore, 
Roberts,  1994]. 

TQC  and  TQO  both  represent  down-stream  updating,  revision,  and  de¬ 
tailing  of  the  insights  and  information  developed  by  TQE.  If  quality  is  to  be 
achieved,  it  must  be  a  continuous  process  throughout  the  life-cycle.  If  quality  is 
to  be  achieved,  it  must  not  be  regarded  as  a  'fad'.  In  addition,  a  'compliance'  or  "I 
will  do  what  I  am  told  or  can  get  by  with"  attitude  must  not  be  allowed  to 
develop  if  quality  is  to  be  realized. 

An  important  part  of  TQE,  TQC,  and  TQO  is  the  use  of  continuous  moni¬ 
toring  and  controlling  systems  to  detect,  analyze,  and  report  quality  variances 
[Bea,  1992,  1993;  Moore,  Bea,  1993].  Such  monitoring  systems  have  several 
purposes.  The  first  purpose  is  feed-back  on  the  causes  and  locations  of  quality 
variances.  Timely  updating  of  QA  measures  and  QC  correction  should  be  a  re¬ 
sult.  The  second  purpose  is  the  development  of  "early  warning"  and  "near  miss" 
systems.  Trends  in  quality  variances  and  trends  in  the  types  and  frequencies  of 
near  misses  can  provide  important  information  to  allow  detection  of  unfolding  or 
evolving  quality  problems.  A  life-cycle  Ship  Structural  Integrity  Information 
System  (SSIIS)  is  being  developed  for  this  purpose  [Schulte-Strathaus,  Bea, 

1994] . 


Most  importantly,  TQM,  TQE,  TQC,  and  TQO  should  provide  adequate 
and  timely  "empowerment"  to  those  that  have  direct  responsibilities  for  quality. 
These  are  the  individuals  and  teams  with  their  "hands  on  the  wheels."  These 
are  the  individuals  and  teams  on  the  "front-lines"  of  design,  construction,  and 
operations  activities  associated  with  marine  systems. 
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Empowerment  includes  clearly  identified  responsibilities,  goals,  and  ade¬ 
quate  resources  (time,  money,  materials,  manpower,  knowledge)  to  achieve  qual¬ 
ity.  Empowerment  includes  a  requirement  and  demand  for  integrity  to  achieve 
quality.  Empowerment  includes  a  requirement  for  intimate  involvement,  lead¬ 
ership  and  direction  of  TQE,  TQC,  and  TQO  activities. 

If  TQE,  TQC,  and  TQO  are  to  have  beneficial,  realistic,  and  timely  results, 
then  the  driving  forces  to  achieve  quality  must  come  from  the  "front  lines."  The 
initiative,  direction,  and  implementation  must  be  centered  on  the  front  line  op¬ 
erators.  Analysts  and  "theoreticians"  should  be  involved  in  supporting, 
assisting,  and  facilitating  roles.  Extensive  hands-on  experience  in  the  details  of 
the  particular  design,  construction,  and  operation  being  addressed  is  the  most 
essential  ingredient  in  the  processes.  TQE,  TQC,  and  TQO  are  not  "numbers 
games."  TQE,  TQC,  and  TQO  are  an  attempt  to  achieve  quality  in  the  face  of  a 
hostile  environment  (the  sea)  and  in  the  face  of  many  and  great  uncertainties. 
Insufficient  knowledge  and  experience  behind  TQE,  TQC,  and  TQO  efforts 
results  in  "meddling"  or  "tinkering"  with  a  system.  The  potential  benefits  of  the 
efforts  will  not  be  realized  and  "bad  attitudes"  will  be  develop  regarding  such 
efforts. 


Experience _ _ 

During  the  past  10  years,  there  has  Table  2.2  -  Importance  of  QMS 

been  a  series  of  good  and  bad  experiences  in 
the  implementation  of  QMS.  A  recent  study 
conducted  by  Loney  and  Ramierz  [1994] 
involved  a  survey  based  on  63  U.  S.  firms  that 
had  attempted  to  implement  QMS  during  this 
time  period.  These  involved  industry  - 
manufacturing  (29  %),  services  sector  (62  %), 
and  military  (9  %)  organizations.  The  sizes  of 
the  organizations  ranged  from  less  than  100 
employees  (19  %),  to  100  to  500  employees  (22 
%),  to  more  than  500  employees  (59  %). 

Table  2.2  summarizes  the  Tier  1 
(ranked  1  to  10)  and  Tier  2  (ranked  11  -  20) 
activities  that  the  survey  indicated  to  be  most 
important  in  determining  the  success  of  QMS 
implementation. 

The  survey  identified  the  single  most 
important  requirement  for  successful 
implementation  of  QMS  was  management 
commitment.  The  major  reason  for  failure  of 
QMS  implementation  was  lack  of  genuine  and 
sufficient  management  commitment. 


activities 

fieri 

Management  commitment 
Customer  satisfaction 
Clear  vision  statement 
Cultural  change 
Education 

Participative  management 
Strategic  quality  planning 
Goal  clarity 
Error  prevention 
Top  management  steering 
Tier  2 

Timely  problem  solving 
Measurement  of  quality 
Correct  problem  identification 
Goal  setting 
Recognition  programs 
Quality  improvement  teams 
Partnerships 

Project  improvement  process 
Measurement  &  control 
Monetary  resources _ 
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Management  commitment  included  a  clear  vision  statement  (goal  clarity) 
and  provision  of  sufficient  resources  (qualified  manpower,  money,  time)  to 
achieve  quality. 

Management  commitment  addressed  the  capability  and  willingness  of 
leaders  to  define  and  implement  QMS.  The  capability  aspects  addressed 
recognition  of  organization  vulnerabilities,  an  understanding  of  business  and 
corporate  environmental  challenges,  an  objective  assessment  of  current 
capabilities,  demonstration  of  leadership  skills,  and  the  emotional  maturity 
required  for  risk  taking. 

The  willingness  aspects  addressed  overcoming  traditional  assumptions 
about  employees,  relinquishment  of  the  investment  in  the  status  quo, 
relinquishing  traditional  power  strategies  and  practices,  persistence,  integrity, 
and  maintaining  a  focus  on  transition  outcomes. 

Experience  of  these  organizations  indicates  that  the  most  important  thing 
needed  for  a  successful  QMS  is  top-down  management  commitment,  leadership, 
and  integrity.  This  experience  indicates  that  a  successful  QMS  will  not  be 
allowed  to  become  a  "paper  chase"  where  processes  are  allowed  to  subvert  the 
activities  needed  to  achieve  quality. 


Summary 


Quality  is  freedom  from  unanticipated  defects.  Quality  is  fitness  for  pur¬ 
pose.  Quality  is  meeting  the  requirements  of  those  that  own,  operate,  design, 
and  construct  marine  systems. 

Quality  is  comprised  of  four  primary  attributes:  serviceability  (do  what  it 
is  supposed  to  do),  safety  (does  not  pose  undue  risks),  durability  (free  from  unan¬ 
ticipated  maintenance),  and  compatibility  (meets  time,  monetary,  and  environ¬ 
mental  requirements). 

Quality  requires  a  permeating  philosophy.  That  philosophy  can  be  repre¬ 
sented  by  TQM.  TQM  is  comprised  of  planning,  organizing,  leading,  and  control¬ 
ling  to  achieve  quality  dining  design,  construction,  and  operation  of  a  marine 
system.  It  is  focused  on  processes  of  continuous  improvement.  It  is  focused  on 
integrity  on  the  parts  of  those  that  own,  operate,  design,  build,  and  regulate  ma¬ 
rine  systems. 

Quality  requires  a  permeating  activity  throughout  the  life-cycle  of  a  ma¬ 
rine  system.  That  activity  can  be  represented  by  QMS.  QA  and  QC  are  compo¬ 
nents  of  QMS.  A  focus  is  on  QA:  "an  ounce  of  prevention  is  worth  a  ton  of  cure." 
QC  requires  continuous  vigilance.  QC  requires  timely  feed-back  to  improve  QA. 

The  ISO  quality  standards  are  one  form  of  QA.  The  ISO  quality  standards 
are  not  QC. 
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There  is  an  important  need  to  focus  on  the  details  and  comprehensive  na¬ 
ture  of  marine  systems.  TQE,  TQC,  and  TQO  represent  activities  that  are  in¬ 
tended  to  provide  such  a  focus  during  the  evolution  and  life-cycle  of  marine  sys¬ 
tems. 

All  of  this  effort  to  achieve  quality  should  be  directed  at  empowerment  of 
those  individuals  and  teams  that  design,  construct,  and  operate  marine  systems. 
From  an  engineering  standpoint,  the  objective  is  not  to  perform  analyses,  pro¬ 
duce  numbers,  or  technical  reports  and  papers.  The  objective  is  to  provide  timely 
insights  on  how  best  to  achieve  quality.  TQE  starts  the  cycle,  it  is  further 
detailed  and  updated  by  TQC  (with  feedback  to  TQE  on  how  to  help  improve 
quality),  and  then  it  is  continuously  detailed  and  updated  by  TQO  (with  feedback 
to  TQE  and  TQC  on  where  there  are  problems  and  how  quality  can  be  improved). 

Quality  requires  commitment.  Quality  requires  integrity.  Quality  is  not 
quick,  easy,  or  free.  The  initial  costs  associated  with  achieving  quality  can  be 
repaid  many  times  over  by  the  costs  not  realized  due  to  insufficient  or 
unacceptable  quality.  So,  quality  can  be  "free". 
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Reliability 


Reliability  is  closely  related  to  quality.  Reliability  is  defined  in  this  report 
as  the  probability  that  a  given  level  of  quality  will  be  achieved  during  the  design, 
construction,  and  operating  life-cycle  phases  of  a  marine  structure. 

Reliability  is  the  likelihood  that  the  system  will  perform  in  an  acceptable 
manner.  Acceptable  performance  means  that  the  system  has  desirable  service¬ 
ability,  safety,  compatibility,  and  durability. 

The  compliment  of  reliability  is  the  likelihood  or  probability  of  unaccept¬ 
able  performance;  the  probability  of " failure "  (Pf). 

Success  is  the  ability  to  anticipate  and  avoid  failure.  Failure  is  an  unde¬ 
sirable  and  unanticipated  outcome;  the  lack  of  meeting  expected  performance;  the 
significant  loss  of  utility.  Experience  has  amply  demonstrated  that  the  single 
largest  factor  responsible  for  failure  of  marine  structures  is  "human  error". 

Likelihoods  of  not  realizing  a  desirable  level  of  quality  arise  because  of  a 
wide  variety  of  uncertainties.  During  the  design  phase  there  is  a  likelihood  of 
not  realizing  the  intended  quality  due  to  causes  such  as  an  analytical  flaw  em¬ 
bedded  in  a  finite  element  program  or  an  error  made  in  interpreting  a  design 
loading  formulation.  During  the  construction  phase,  unrealized  quality  might  be 
developed  by  the  use  of  the  wrong  materials  or  use  of  inappropriate  alignment 
and  welding  procedures.  During  the  operating  phase,  unrealized  quality  might 
be  developed  by  accidental  loading  from  collisions  or  dropped  objects  or  neglect  of 
planned  maintenance  of  coatings  and  cathodic  protection. 

Reliability  can  be  expressed  analytically  as: 

Ps  =  [1-Pfl  =  P[D  <  C]  (3.1) 

where  D  is  the  demand  placed  on  the  marine  structure  system  and  C  is  the  abil¬ 
ity  or  capacity  of  the  system  to  meet  or  satisfy  the  demand.  P  [x]  is  read  as  the 
probability  that  the  event  [x]  takes  place.  Demands  and  capacities  are  quanti- 
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fied  in  terms  used  to  define  serviceability  (e.g.  days  available  for  service),  safety 
(e.g.  margin  between  load  resistance  and  loading),  durability  (e.g.  expected  life  of 
structure),  and  compatibility  (e.g.  expected  initial  and  future  costs). 

Generally,  structural  reliability  has  been  defined  as  the  likelihood  that  the 
marine  structure's  capacity  is  exceeded  by  the  dead,  live,  and  environmental 
loading  [Moan,  1993].  This  definition  has  been  criticized  because  of  its  limited 
scope.  Conventional  structural  reliability  analysis  fails  to  address  the  other  key 
issues  associated  with  the  quality  of  the  marine  structures.  The  conventional 
definition  fails  to  address  the  other  key  hazards  to  the  quality  of  the  structure 
that  develop  during  the  life-cycle  of  the  structure  (design,  construction,  opera¬ 
tion). 


Unreliability  is  due  fundamentally  to  three  types  of  uncertainties  [Bea, 
1990].  The  first  is  inherent  or  natural  randomness  (aleatory).  The  second  is  as¬ 
sociated  with  analytical  or  professional  uncertainties  (epistemic).  The  third  is 
associated  with  errors  made  by  individuals  and  groups  of  individuals  or  organi¬ 
zations  (human  errors)  [Moan,  1993;  Bea,  Moore,  1991,  1992]. 

While  conventional  structural  reliability  assessments  have  explicitly  ad¬ 
dressed  the  first  two  types  of  uncertainty,  in  general  they  have  not  addressed  the 
third  category  of  uncertainty.  At  best,  the  third  category  of  uncertainty  has  been 
included  implicitly.  It  has  been  incorporated  in  the  background  of  data  and 
information  that  is  used  to  describe  the  uncertainties  and  variabilities. 

The  life-cycle  probability  of  a  marine  structure  not  developing  a  desirable 
level  of  quality  could  be  expressed  analytically  as: 

Pf  =  Pfi  +  Pf2+  Pf3  +  Pfl  Pf2+  Pf2  Pf3+  Pf3  Pfl  (3.2) 

where  the  subscripts  1,  2,  and  3  refer  to  the  probability  of  failure  of  the  marine 
structure  that  develop  during  the  design,  construction,  and  operating  life-cycles 
phases  of  the  structure,  respectively. 

Unreliability  that  is  developed  during  the  design  phase  could  be  expressed 
analytically  as: 

Pfl  =  Pfi.i+  Pfl.2  +  Pfl.3  +  Pfl.l  Pfl. 2+  Pfl.2Pf  1.3  +  Pfl. 3  Pfl.l  (3.3) 

where  the  subscripts  1.1, 1.2,  and  1.3  refer  to  the  probabilities  of  failure  due  to 
concept  definition,  development  of  loading,  and  sizing  and  detailing  the  struc¬ 
ture,  respectively. 

Unreliability  that  is  developed  during  the  construction  phase  could  be  ex¬ 
pressed  analytically  as: 

Pf2  =  Pf2.1+  Pf2.2  +  Pf2.3  +  Pf2.1  Pf2.2+  Pf2.2Pf  2.3  +  Pf2.3  Pf2.1  (3.4) 
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where  the  subscripts  2. 1,2.2,  and  2.3  refer  to  the  probabilities  of  failure  due  to 
fabrication,  transportation,  and  commissioning  or  installation  of  the  structure, 
respectively. 

Unreliability  during  the  operations  phase  could  be  expressed  analytically 
as: 

Pf3  =  Pf3.1+  Pf3.2  +  Pf3.3  +  Pf3.1  Pf3.2+  Pf3.2Pf  3.3  +  Pf3.3  Pf3.1  (3.5) 

where  the  subscripts  3.1,  3.2,  and  3.3  refer  to  the  probabilities  of  failure  due  to 
accidents,  maintenance,  and  environmental  conditions,  respectively. 

Later  in  this  report,  after  a  classification  and  description  system  has  been 
developed  to  permit  analyses  of  HOE  effects  in  design  and  construction,  a  simi¬ 
lar  reliability  formulation  is  developed  allow  one  to  explicitly  address  the  key 
HOE  aspects  involved  in  design  and  construction  of  marine  structures. 


Reliability  Formulation 


Reliability  is  the  likelihood  that  the  system  will  perform  in  an  acceptable 
manner.  In  the  context  of  the  design  and  construction  of  a  ship  structural  sys¬ 
tem,  reliability  will  be  expressed  in  this  section  in  two  contexts.  The  first  relates 
to  the  capacity  of  the  structural  system  and  the  second  relates  to  the  fatigue  or 
cracking  durability  of  the  structural  system. 

For  development  of  background  in  reliability  technology  applied  to  marine 
structures  the  reader  is  referred  to  the  report  by  Mansour,  et  al.  [1990],  the  text 
by  Bea  [1990],  and  the  report  by  Orisamolu  and  Bea  [1993].  Comprehensive 
texts  have  been  written  on  this  subject  and  the  reader  is  referred  to  the  texts  by 
Ang  and  Tang  [1975],  Madsen,  Krenik,  and  Lind  [1986],  Melchers  [1987],  and 
Henley  and  Kumamoto  [1981]  for  additional  background. 

In  the  context  of  capacity,  the  reliability,  Psc,  of  the  structural  system  can 
be  expressed  as: 

Psc  =  P  [capacity  >  loading]  =  P  [R  >  S]  (3.6) 

Capacity  refers  to  the  ability  of  the  structural  system  to  sustain  the  imposed  and 
induced  loadings. 

In  the  context  of  durability,  the  reliability  of  the  structural  system  can  be 
expressed  as: 

Psf  =  P  [time  to  cracking  >  service  life]  =  P  [Tc  >  Ts]  (3.7) 

where  Tc  is  the  time  (cycles)  to  cracking  in  a  Critical  Structural  Detail  (CSD)  in 
a  ship  structural  system  and  Ts  is  the  intended  or  design  service  period  for  the 
ship. 
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The  compliment  of  reliability  is  the  probability  of  failure,  Pf  (Pf  =  1  -  Ps). 
The  reliability  can  be  expressed  as  follows: 


Ps  =  <E>  [  p  ] 


(3.8) 


where  <D  is  the  standard  cumulative  normal  distribution  and  p  is  the  Safety 
Index.  The  Safety  Index  can  be  related  approximately  (1  <  p  <  3)  to  Ps  as: 


Ps  =  0.475  exp  -((3  )l-6 
or  very  approximately: 


(3.9) 


Ps  -  1  -  10-P 


(3.10) 


For  the  purposes  of  illustration,  let  it  be  presumed  that  the  probability 
distributions  of  R,  S,  Tc,  and  Ts  are  Lognormal.  Such  a  distribution  is  frequently 
an  excellent  characterization  for  these  parameters.  Then: 


In  R50  /  S50 
(oinR2  +  oinS2)0-5 


(3.11) 


In  Tc5Q  /  Ts 
oinTc 


(3.12) 


The  subscript  variables,  X50,  refer  to  the  50th  percentile  or  median  values 
of  the  variables.  This  is  a  measure  of  the  central  tendency  (or  center  of  gravity) 
of  the  probability  distributions.  olnX  refers  to  the  standard  deviation  of  the  log¬ 
arithm  of  the  variables.  This  is  a  measure  of  the  dispersion  or  variability  (or 
moment  of  inertia)  of  the  probability  distributions. 

Given  this  formulation,  the  primary  reliability  considerations  are  the 
"central  tendency"  ratios  R50  /  S50  and  Tce50  /  Ts,  and  the  uncertainty  mea¬ 
sures  olnR  ,  alnS>  and  olnTc-  The  central  tendency  ratios  (capacity  /  demand) 
can  be  interpreted  as  "factors  of  safety."  These  ratios  will  be  dependent  on  the 
probability  level  or  "return  period"  used  to  define  the  demand  quantity. 
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Capacity  Effects _ 


Figure  3.1  shows  the  15 

variation  of  the  annual  Safety  -| 

Index  with  the  factor  of  safety.  ° 
This  example  is  based  on  the  use  £ 
of  a  100-year  return  period  § 

condition  for  the  design  loadings,  ~ 

a  total  uncertainty  of  g  =  0.5,  2 

(0 

and  a  capacity  uncertainty  of  gr  « 
=  0.25.  For  example,  to  achieve  ° 
Pc  =  3  (Pfc  ~  IE-3  per  year),  | 

requires  a  factor  of  safety  of  1.7. 


2  2.5  3  3.5  4  4.5  5 


Figure  3.2  shows  how  an 
underestimate  in  the  loading  - 
capacity  uncertainties  can  reduce 
the  Safety  Index.  It  is  presumed 
that  the  "target"  or  intended 

value  of  the  Safety  Index  is  Pc  = 
3.0.  A  50  %  underestimate  in  the 
uncertainty  results  in  increasing 
the  probability  of  failure  by 
about  one  order  of  magnitude. 

Underestimation  of  the 
loading-capacity  uncertainties 
could  occur  during  either  design 
or  construction.  During 
development  of  the  design 
criteria,  there  could  be  an 
underestimation  of  the 
uncertainties  associated  with 
either  the  loadings,  capacities,  or 
both  .  During  the  construction, 
due  to  poor  quality  control,  there 
could  be  an  increase  in  the 
capacity  variability  over  that 
assumed  in  development  of  the 
design  criteria. 


Annual  Safety  Index  -  Pc 

Figure  3.1  -  Annual  capacity  Safety  Index  as 
function  of  the  factor  of  safety 


%  Error  in  G 


Figure  3.2  -  Effects  of  underestimation  errors 
in  the  total  uncertainty  in  loadings  and 
capacity  on  the  Safety  Index 


Operations  could  also  have  affects  on  both  the  loadings  and  capacities. 
Maneuvering  practices  in  severe  weather  and  maintenance  of  corrosion  protec¬ 
tion  are  examples  of  operating  influences. 
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There  also  could  be  overestimation  of  the  loading-capacity  uncertainties. 
These  would  lead  to  more  reliability  being  incorporated  into  the  system  than  was 
intended.  This  would  lead  to  unexpected  excess  strength  and  durability  in  the 
ship  structure.  Generally,  such  an  outcome  would  not  be  deemed  to  be  unde¬ 
sirable  unless  the  costs  associated  with  the  excess  strength  and  durability  were 
found  to  be  excessive.  In  this  discussion,  the  focus  will  be  on  developments  that 
could  result  in  insufficient  strength  an  durability  in  the  ship  structure. 

Figure  3.3  shows  the  effects 
of  errors  in  the  central  tendency 
ratio  of  the  ship  structure  capacity 
to  the  loadings.  In  this  case,  a  50 
%  error  in  the  ratio  results  in 
much  more  than  an  order  of 
magnitude  increase  in  the 
probability  of  failure  of  the 
structure.  The  reliability  is  more 
sensitive  to  the  central  tendency 
ratio  than  to  the  variability. 


An  underestimate  of  the 
capacity  to  loading  ratio  could 
develop  in  several  ways.  During 
the  formulation  of  the  design 
criteria,  a  systematic  bias  could  be 
introduced  that  would  result  in  an 
overestimate  of  the  capacity  or  an 
underestimate  of  the  loadings  (e.g. 
ignoring  important  dynamic 
effects).  During  construction,  there  could  be  quality  control  problems  such  as 
excessive  misalignments  or  use  of  lower  grade  steel  that  would  result  in 
systematically  lowering  the  capacity  of  the  structure. 

The  importance  of  these  results  is  as  follows.  The  central  tendency  capac¬ 
ity  to  loading  ratio  has  the  largest  effects  on  reliability.  Therefore,  the  greatest 
management  efforts  should  be  directed  to  minimize  the  possibilities  of  human 
errors  in  activities  that  could  determine  this  ratio.  A  close  second  in  this  priority 
would  be  the  uncertainties  in  the  loadings  and  capacities.  Given  the  generally 
much  greater  uncertainties  associated  with  the  loadings,  management  of  human 
errors  that  could  lead  to  under-estimates  in  the  uncertainties  in  the  loadings 
would  be  the  next  priority. 


Figure  3.3  -  Effects  of  overestimation  errors 
in  the  median  capacity  to  loading  ratio  on 
the  Safety  Index 
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Durability  Effects 


Figure  3.4  shows  the  variation 
on  the  annual  Safety  Index  at  the 
end  of  the  service  period  with  the 
central  fatigue  cracking  durability 
factor  of  safety  (Tfso/Ts).  An 
uncertainty  of  the  time  to  cracking  of 
alnTc  =  1.0  has  been  assumed  in  this 
example.  For  these  conditions,  a 
central  factor  of  safety  of  about 
Tfso/Ts  =  7  would  be  required  to 
obtain  Pfc  *  IE-2  per  year.  In  other 
words,  if  the  design  service  period 
were  20  years,  the  design  median 
time  to  cracking  should  be  about  Tf  = 
140  years. 

Based  on  the  previous 
developments,  Figure  3.5  shows  the 
variation  of  the  fatigue  cracking 
Safety  Index  as  a  function  of  service 
time.  The  Safety  Index  at  any  time, 
t,  can  be  expressed  as  follows: 

Pftgpf----/T—  (3.13) 
OlnTc 

As  noted  previously,  the  design 
Safety  Index  is  reached  only  at  the 
end  of  the  service  life;  due  to  the  lack 
of  damage  from  cyclic  loadings 
probability  of  fatigue  cracking  much 
lower)  early  in  the  life  of  the 
structure. 


Figure  3.4  -  Variation  in  the  annual 
Safety  Index  with  the  median  factor  of 
safety  on  the  time  to  fatigue  cracking 


Figure  3.5  -  Variation  of  fatigue  cracking 
Safety  Index  with  exposure  time  (design 
Safety  Index  =  2.0) 


Figure  3.6  summarizes  the 
effects  on  (if  of  potential 

underestimation  errors  in  CJlnTc-  In  this  case,  a  50  %  underestimation,  does  not 
result  in  increasing  the  probability  of  fatigue  cracking  by  an  order  of  magnitude. 
Similarly,  as  shown  in  Figure  3.7,  overestimating  the  median  time  to  fatigue 
cracking  by  50  %  does  not  result  in  increasing  the  probability  of  fatigue  cracking 
by  an  order  of  magnitude.  The  two  effects  are  very  comparable. 

The  underestimation  in  the  uncertainty  in  the  time  to  cracking  could  have 
a  design  source  or  a  construction  source  (or  both).  The  design  underestimation 
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could  be  due  to  insufficient  fatigue  testing  data  with  which  to  develop  an  accu¬ 
rate  estimate  of  the  uncertainty  or  the  median  time  to  cracking.  The  construc¬ 
tion  effects  that  would  result  in  an  underestimate  of  the  uncertainties  or  an 
overestimate  in  the  time  to  cracking  could  be  due  to  improper  profiling  of  the 
welds  (weld  profile  assumed  in  design  and  utilized  in  the  fatigue  testing  not  real¬ 
ized)  or  due  to  excessive  misalignments  (introducing  secondary  bending  stresses 
not  accounted  for  in  design). 

The  almost  equal  effects  on  the  fatigue  cracking  Safety  Index  of  the  un¬ 
derestimation  of  uncertainties  or  the  overestimation  of  time  to  cracking  would 
indicate  equal  resources  should  be  devoted  to  quality  assurance  and  control 
measures  in  both  design  and  construction  to  properly  manage  the  uncertainties 
in  the  times  to  fatigue  cracking. 


0  20  40  «0  80  100 

%  Error  In  O 


Figure  3.6  -  Effects  of  underestimating  the  uncertainty  of  time  to  fatigue  crack¬ 
ing 


Figure  3.7  -  Effects  of  overestimation  errors  in  Tf  /  Ts 
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Load  and  Resistance  Factor  Effects 


Premised  upon  Lognormally  distributed  loadings  and  capacities,  the  fol¬ 
lowing  expressions  can  be  developed  to  define  the  loading  and  resistance  factors 
required  for  a  ship  structure  Load  and  Resistance  Factor  Design  (LRFD)  format: 

050  R50  £  Y50  S50  (3.14) 

050  =  Br  exp  (-0.75  p  OlnR)  (3.15) 

Y50  =  Bs  exp  (0.75  p  OlnS)  (3.16) 

where  050  is  the  median  resistance  factor  (generally  less  than  unity),  750  is  the 
median  loading  factor  (generally  greater  than  unity),  Br  is  the  median  resis¬ 
tance  bias  =  true  median  capacity  /  nominal  median  capacity,  and  Bs  is  the  me¬ 
dian  loading  bias  =  true  median  loading  /  nominal  median  loading. 


Annual  Safety  Index  -  Pb 


Figure  3.8  -  Resistance  factors 


Figure  3.9  -  Loading  factors 


Figures  3.8  and  3.9  illustrate  the  load  and  resistance  factors  for  various 
capacity  Safety  Indices  based  on  a  capacity  bias  of  Br  =  1.44  and  a  loading  bias 
of  Bs  =  1.20.  The  capacity  bias  recognizes  that  the  ship  capacity  will  be  deter¬ 
mined  using  traditional  linear  elastic  analyses  based  on  the  occurrence  of  first 
nominal  yield  in  the  ship  structure  system  (1.15  factor  for  steel  strength  and 
1.25  factor  for  maximum  loading  capacity  above  first  yield).  The  loading  bias 
recognizes  the  tendency  for  linear  strip  theory  methods  to  under-estimate  the 
stresses  in  extreme  sea  states. 

For  example,  if  it  were  desired  to  have  a  capacity  Safety  Index  of  (3c  =  3.0 
(Pf  «  1  E-3  per  year),  then  the  resistance  factor  <))  «  0.7  and  the  load  factor  y~  1.6. 
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Figures  3.10  and  3.11  illustrate  the  effects  of  errors  in  the  estimated  load¬ 
ing  and  capacity  uncertainties.  Errors  in  the  evaluation  of  median  biases  in  the 
capacities  and  loadings  have  not  been  included.  The  errors  in  uncertainties  have 
been  illustrated  for  under-estimations  that  would  result  in  the  loading  and  resis¬ 
tance  factors  being  too  low;  this  would  result  in  the  ship  structure  being  weaker 

than  intended.  A  target  Safety  Index  of  (3c  =  3.0  has  been  assumed  in  this  illus¬ 
tration. 

A  50  %  under-estimate  of  the  uncertainties  associated  with  the  resistance 
factor  results  in  a  30  %  error  in  the  resistance  factor.  A  50  %  under-estimate  in 
the  uncertainties  associated  with  the  loading  factor  results  in  a  90  %  error  in  the 
loading  factor.  It  is  much  more  important  to  monitor  and  control  the  potential 
for  HOE  in  making  evaluations  of  the  uncertainties  associated  with  the  loadings 


Figure  3.10  -  Effects  of  errors  in  resistance  uncertainties  on  LRFD  resistance 
factor 
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Figure  3.11  -  Effects  of  errors  in  loading  uncertainties  on  LRFD  loading  factor 
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Risk  &  Risk  Management 


Risk  is  defined  in  this  report  as  the  product  of  the  likelihood  that  adequate 
or  acceptable  quality  is  not  achieved  and  the  consequences  associated  with  the 
lack  of  achieved  quality. 

Risk  results  from  uncertainties.  Uncertainties  result  from  inherent  vari¬ 
abilities  (aleatory),  "professional"  or  "technical"  sources  (analytical,  modeling, 
parameter,  epistemic),  and  "human"  sources  (individuals,  teams,  organizations, 
societies).  Some  uncertainties  are  random  (aleatory)  and  some  are  systematic 
(epistemic).  Some  uncertainties  can  be  managed  (information  sensitive,  epis¬ 
temic)  and  some  uncertainties  can  not  be  managed  (information  insensitive, 
aleatory).  Some  uncertainties  are  essentially  "static"  (unchanging  in  time)  and 
others  are  essentially  "dynamic."  Some  uncertainties  can  be  identified  and 
quantified  and  some  uncertainties  can  not  be  identified  and  quantified. 

Consequences  result  from  unrealized  expectations  and  unanticipated  lack 
of  sufficient  quality.  Consequences  can  be  expressed  in  terms  of  their  frequency, 
their  severity,  their  impacts  (on  site  and  off  site),  and  their  predictability. 

Consequences  can  be  expressed  in  a  variety  of  ways  and  with  a  variety  of 
metrics.  Monetary  costs  are  one  way  to  measure  and  express  consequences. 

Time  (schedule,  availability),  injuries  to  humans,  and  injuries  to  the  environ¬ 
ment  are  other  ways  to  express  and  measure  consequences. 

Some  consequences  can  be  managed  or  controlled  (hazard  mitigation  mea¬ 
sures).  Some  consequences  can  not  be  managed  or  controlled.  Some  conse¬ 
quences  can  be  evaluated  objectively  and  quantitatively  and  some  consequences 
can  not  be  evaluated  objectively  and  quantitatively. 

Generally,  there  are  significant  uncertainties  associated  with  the  results 
of  evaluations  of  consequences.  This  is  particularly  so  as  one  projects  the  conse¬ 
quences  of  insufficient  or  unacceptable  quality  far  into  the  future. 

Evaluations  of  consequences  are  difficult  to  make  and  express. 

Evaluations  of  consequences  are  very  susceptible  to  the  values,  views,  and  "bi¬ 
ases"  of  the  evaluators. 

Some  consequences  are  essentially  "static."  They  do  not  change  signifi¬ 
cantly  in  time.  Other  consequences  are  very  "dynamic"  in  that  they  change 
markedly  in  time. 

An  identified  risk  is  a  management  problem.  A  faulty  or  bad  definition  of 
a  risk  will  breed  additional  risk  and  result  in  bad  management  of  quality.  A  risk 
management  framework  is  based  on  intelligent  and  perceptive  risk  identifica¬ 
tion,  classification,  analysis,  evaluation,  and  response. 
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Risks  have  "sources",  are  translated  to  reality  with  "events",  and  are  felt 
with  "effects."  There  are  initiating  events  (direct  causes),  contributing  events 
(background  causes),  and  compounding  events  (propagating  or  escalating 
causes).  Risk  management  attempts  to  identify  causes,  detect  potential  and 
evolving  events,  and  control  effects. 

Risks  are  independent  and  dependent.  Risks  can  have  partial  depen¬ 
dence.  If  the  occurrence  of  one  risk  does  not  influence  the  occurrence  of  another 
risk,  then  it  is  independent.  If  the  magnitude  of  one  risk  is  related  to  the  magni¬ 
tude  of  another  risk  then  these  two  risks  are  correlated.  Independence  and  cor¬ 
relation  are  critical  issues  in  risk  management. 

Risks  are  controllable  and  uncontrollable.  Controllable  risks  are  those 
that  are  within  the  control  of  those  that  own,  operate,  design,  classify,  regulate, 
and  build  marine  systems.  Uncontrollable  risks  are  those  that  are  not  within 
the  control  of  the  groups  cited.  Risk  management  is  concerned  primarily  with 
controllable  risks.  Inherent  risk  and  uncontrollable  risk  must  be  recognized  and 
evaluated  in  the  process  of  making  decisions  regarding  the  activities  and  ven¬ 
tures  associated  with  marine  systems. 

A  risk  management  system  should  be  practical,  realistic,  and  must  be  cost 
effective.  Risk  management  need  not  be  complicated  nor  require  the  collection  of 
vast  amounts  of  data,  that  in  most  cases  of  marine  systems,  does  not  exist. 
Excellent  risk  management  is  a  combination  of  uncommon  "common  sense", 
qualified  experience,  judgment,  knowledge,  wisdom,  intuition,  and  integrity. 
Mostly  it  is  a  willingness  to  operate  in  a  caring  and  disciplined  manner  in  ap¬ 
proaching  the  critical  features  of  any  activity  in  which  risk  can  be  generated. 

The  purpose  of  a  risk  management  system  should  be  to  enable  and  em¬ 
power  those  that  design,  build,  and  operate  marine  systems.  The  purpose  is  to 
assist  those  groups  to  take  the  "right"  risks  and  to  achieve  "acceptable"  quality. 
To  try  to  eliminate  risk  is  futile.  To  try  to  manage  risks  is  the  essence  of  man's 
activities  in  the  sea. 

Risk  analysis  is  the  attempt  to  define  and  evaluate  the  sources,  effects, 
and  consequences  of  risks.  Risk  analysis  can  be  qualitative  and  it  can  be  quanti¬ 
tative.  These  are  complimentary  forms  of  risk  analysis  and  they  should  be  used 
to  support  each  other. 

Quantitative  risk  analysis  can  involve  probability  analysis,  sensitivity 
analysis,  scenario  analysis,  situation  analysis,  and  correlation  analysis. 
Quantitative  risk  analysis  can  be  objective  and  /  or  subjective. 

Qualitative  risk  analysis  will  involve  the  use  of  direct  judgment,  generally 
involves  ranking  and  comparing  attributes  and  options,  and  a  descriptive  anal¬ 
ysis  and  evaluation. 
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Decisions 


The  purpose  of  developing  qualitative  and  quantitative  models  of  risks  is 
to  provide  information  for  making  good  decisions  regarding  management  of  these 
risks.  The  development  of  a  decision  model  to  help  solve  problems  is  outlined  in 
Figure  3.12. 


Risk  Decision 
Problem 
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^[Framing  Formulation Jv 

^  Evaluation  Appraisal^ 

Figure  3.12  -  Risk  decision  analysis 


The  decision  analysis  process  is  divided  into  two  primary  parts: 

1)  analysis,  and 

2)  synthesis. 

Analysis  involves  framing  and  formulation.  These  involve  decomposition 
of  the  problem  into  its  parts.  The  subsequent  evaluation  and  appraisal  involve 
synthesis  in  which  the  parts  are  combined  into  a  whole  to  establish  the  at¬ 
tributes  of  each  possible  solution. 

The  purpose  of  framing  is  to  avoid  working  the  wrong  problem.  The  pur¬ 
pose  of  framing  is  to  state  the  precise  nature  of  a  problem  and  the  objectives  to 
be  pursued. 

Framing  is  structuring  and  re-stating  the  problem.  One  objective  of  fram¬ 
ing  is  to  surface  the  "unspoken  agendas"  that  are  generally  present  in  a  risk  de¬ 
cision  problem. 

Formulation  is  a  formal  model  based  upon  the  problem.  It  is  based  on  a 
decision  process  composed  of  three  parts  [Raffia,  1970]: 

1)  The  alternatives  available  to  the  decision  maker  to  achieve  the  particu¬ 
lar  goal. 

2)  The  information  that  describes  the  relationship  between  the  decisions 
and  possible  outcomes. 
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3)  The  preferences  of  the  decision  maker. 

Information  includes  any  form  of  model,  forecast  or  probability  assign¬ 
ment  which  indicates  the  possible  outcome  of  the  decision.  Preferences  express 
the  values  of  the  decision  makers  regarding  the  principal  outcomes  (e.g.  which  is 
more  important,  schedule  or  cost?). 

A  good  decision  is  an  action  that  is  logically  consistent  with  the  alterna¬ 
tives  available,  the  information  available,  and  the  preferences.  Good  decisions 
do  not  always  result  in  good  outcomes.  Table  3.1  lists  the  attributes  associated 
with  good  risk  decision  making  processes  [Flanagan,  Norman,  1993]). 


Table  3.1  -  Attributes  of  good  risk  decision  making  processes 


Framing 

Surveys  the  full  range  of  objectives  to  be  fulfilled  and  the  values  im¬ 
plied  by  the  choices 

Alternatives 

Thoroughly  canvasses  a  wide  range  of  alternative  courses  of  action; 
possibility  thinking 

Information 

Carefully  weighs  knowledge  about  the  costs  and  risks  of  negative  con¬ 
sequences  as  well  as  the  positive  consequences  that  could  flow  from 
each  option.  Intensely  searches  for  new  information  relevant  to  fur¬ 
ther  evaluation  of  the  options.  Keeps  an  open  mind. 

Evaluation 

Correctly  assimilates  and  takes  account  of  any  expert  judgment  and 
risk  exposure,  even  when  the  judgment  does  not  support  the  course  of 
action  initially  preferred.  Re-examines  the  positive  and  negative  con¬ 
sequences  of  all  known  alternatives,  including  those  originally  re¬ 
garded  as  unacceptable,  before  forming  the  final  choice. 

Implementa 

tion 

Makes  detailed  provisions  for  implementing  or  executing  the  chosen 
course  of  action,  with  special  attention  to  contingency  plans  that  might 
be  required  if  various  known  and  unknown  risks  were  to  materialize. 

36 


Chapter  3 


Quality,  Reliability,  Risks,  &  Decisions 


Summary 


Quality  is  freedom  from  unanticipated  defects.  Quality  is  fitness  for  pur¬ 
pose.  Quality  is  meeting  the  requirements  of  those  that  own,  operate,  design, 
construct,  and  regulate  marine  structures.  These  requirements  include  those  of 
serviceability,  safety,  compatibility,  and  durability. 

Reliability  is  defined  as  the  probability  that  a  given  level  of  quality  will  be 
achieved  during  the  design,  construction,  and  operating  life-cycle  phases  of  a 
marine  structure.  Reliability  is  the  likelihood  that  the  system  will  perform  in  an 
acceptable  manner.  Acceptable  performance  means  that  the  system  has  desir¬ 
able  serviceability,  safety,  compatibility,  and  durability. 

Reliability  can  be  expressed  as  the  probability  that  the  demands  placed  on 
a  marine  structure  can  be  supplied  by  that  structure.  The  probability  of  failure 
or  unreliability  is  the  compliment  of  the  reliability  and  is  the  likelihood  of  unde¬ 
sirable  or  unacceptable  performance  of  a  marine  structure.  Examples  have  been 
developed  pertaining  to  the  reliability  characteristics  associated  with  the  capac¬ 
ity  and  durability  of  a  marine  structure  that  indicate  the  sensitivity  of  reliability 
to  design  and  construction  factors  that  affect  loadings,  strength,  and  the  uncer¬ 
tainties  associated  with  loadings  and  strength.  Similar  examples  were  devel¬ 
oped  to  illustrate  these  effects  on  Loading  and  Resistance  Factors. 

Understanding  these  sensitivities  allows  one  to  direct  QA  /  QC  to  the  por¬ 
tions  of  the  design  process  that  have  the  highest  probabilities  of  human  errors 
and  have  the  greatest  effect  on  the  reliability  of  the  marine  structure. 

Risk  represents  the  product  of  the  likelihood  of  an  event  and  the  conse¬ 
quences  associated  with  that  event.  Risks  pervade  all  activities.  Not  all  risks 
can  be  defined  and  quantified.  A  primary  objective  is  to  manage  those  risks  that 
we  can  define  and  quantify  and  defend  against  those  that  we  can  not  define  and 
quantify. 

Decisions  involve  framing  and  analysis.  There  are  good  decision  making 
processes  and  the  attributes  of  such  processes  have  been  defined.  A  good  deci¬ 
sion  is  an  action  that  is  logically  consistent  with  the  alternatives  available,  the 
information  available,  and  the  preferences.  Good  decisions  do  not  always  result 
in  good  outcomes. 

The  next  chapter  will  examine  aspects  of  QA  /  QC,  their  potential  costs 
and  benefits,  and  illustrate  how  one  might  develop  evaluations  of  equitable  bal¬ 
ances  in  the  costs  of  achieving  quality  and  the  benefits  associated  with  that 
quality. 
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Quality  Assurance  &  Control 


Quality  Assurance  (QA)  are  those  practices  and  procedures  that  are  de¬ 
signed  to  help  assure  that  an  acceptable  degree  of  quality  is  obtained.  Quality 
assurance  is  focused  on  prevention  of  errors.  Quality  Control  (QC)  is  associated 
with  the  implementation  and  verification  of  the  QA  practices  and  procedures. 
Quality  control  is  intended  to  assure  that  the  desired  level  of  quality  is  actually 
achieved.  Quality  control  is  focused  on  reaction,  identification  of  errors,  rectifi¬ 
cation,  and  correction. 

QA  /  QC  measures  are  intended  to  assure  that  a  desirable  and  acceptable 
reliability  of  the  marine  structure  is  achieved  throughout  its  life  [Bea,  et  al., 
1994]. 

Quality  is  initiated  with  the  conception  of  a  service  or  product,  defined  with 
design,  translated  to  reality  with  construction,  and  maintained  with  high  quality 
operations. 

Achieving  quality  goals  is  primarily  dependent  on  people.  QA  /  QC  efforts 
are  directed  fundamentally  at  assuring  that  human  and  system  performance  is 
developed  and  maintained  at  acceptable  levels.  Experience  has  adequately 
demonstrated  that  most  problems  associated  with  inadequate  quality  in  marine 
structures  are  associated  with  Human  and  Organization  Errors  (HOE).  Such  er¬ 
rors  can  occur  in  the  concept  development,  design,  construction,  and  operation 
life-cycle  activities  of  a  marine  structure. 

Figure  4.1  outlines  the  strategies  that  can  be  employed  in  defining  QA  / 
QC  measures.  These  strategies  include  those  put  in  place  before  the  activity 
(prevention),  during  the  activity  (checking),  after  the  activity  (inspection),  after 
the  manufacture  or  construction  (testing),  and  after  the  structure  has  been  put 
in  service  (detection). 
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As  will  be  discussed  in  the  next  section,  the  earlier  QA  /  QC  measures  are 
able  to  detect  the  lack  of  acceptable  quality,  then  the  more  effective  can  be  the 
remediation. 

Of  all  of  the  QA  /  QC  measures,  the 
most  effective  are  those  associated  with 
prevention.  As  factors  leading  to  lack  of 
desirable  quality  are  allowed  to  become 
more  and  more  embedded  in  first  the  design, 
then  the  construction,  and  then  the 
operation  of  a  marine  structure,  then  the 
more  difficult  they  are  to  detect  and  correct. 

Personnel  selection,  training,  and 
verification;  the  formation  of  cohesive  teams 
and  encouragement  of  teamwork,  and  the 
elimination  of  unnecessary  complexity  in 
procedures  and  structure  -  equipment 
systems  are  examples  of  effective  QA  /  QC 
measures. 


Control  QA  /  QC  measures  consist  of 
procedures  and  activities  that  are  im¬ 
plemented  during  design  and  construction 
activities  to  assure  that  desirable  quality  is 
achieved.  Self-checking,  checking  by  other 
team  members,  and  verification  by  activity 
supervisors  are  examples  of  such  activities. 

Inspection  and  verification  QA  /  QC  measures  consist  of  procedures  and 
activities  that  are  implemented  after  the  design  and  construction  activity  or 
segment  of  that  activity  has  been  completed.  Design  documentation  and  con¬ 
struction  production  products  are  inspected  to  assure  compliance  with  the  appli¬ 
cable  procedures  and  specifications.  Verification  of  design  assumptions  and 
analyses  and  destructive  and  non-destructive  testing  of  constructed  elements  are 
examples  of  such  activities. 

Detection  QA  /  QC  measures  consist  of  procedures  and  activities  that  are 
implemented  after  the  marine  structure  has  been  put  in  service  to  assure  that 
desirable  and  acceptable  quality  are  maintained.  The  use  of  shipboard  monitor¬ 
ing  systems  and  in-service  inspections  to  assure  that  significant  damage  is  not 
developing  in  the  hull  structure  due  to  cracking  and  corrosion  are  examples  of 
such  activities. 


Figure  4.1  -  Quality  assurance 
and  control  strategies 
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Quality  &  Costs 


Providing  quality  in  the  design,  construction,  and  operation  of  a  ship  or 
offshore  platform  can  result  in  lower  life-cycle  costs,  be  safer,  and  minimize  un¬ 
realized  expectations.  Quality  can  result  in  significant  benefits.  But,  quality 
costs. 


Achieving  an  adequate 
level  of  quality  is  not  quick,  easy, 
or  free.  It  can  be  costly  in  terms 
of  the  initial  investments  of 
manpower,  time  and  other 
resources  required  to  achieve  it 
(Figure  4.2) .  But,  if  it  is 
developed  and  maintained,  it  can 
result  in  significant  savings  in 
future  costs. 

Consideration  of  future 
costs  requires  a  long-term  view 
of  the  performance  char¬ 
acteristics  of  a  system.  The 
objective  is  to  find  the  level  or 
degree  of  quality  that  will 
minimize  the  total  of  initial  and 
future  costs. 


V) 

o 

o 


_  minimum  initial  cost 
maximum  futura  cost 


LEVEL  OF  QUALITY 


Figure  4.2  -  Consideration  of  initial  and 
future  costs  associated  with  various  levels  of 
quality 


Different  levels  of  quality 
are  needed  for  different  levels  of 
"criticality."  If  a  structure  ele¬ 
ment,  component,  or  system  is 
particularly  critical  to  the 
quality  of  a  structure,  then  even 
though  it  may  have  identical 
initial  costs,  it  may  have  very 
different  future  costs  (Figure 
4.3). 


Higher  levels  of  quality 
and  more  intense  QA  /  QC 
measures  should  be  relegated  to 
those  element,  components,  and 
systems  that  have  higher  levels 
of  criticality. 


Figure  4.3  -  Criticality  should  determine  the 
level  of  quality 
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The  costs  to  correct 
insufficient  quality  (errors) 
are  a  function  of  when  the 
deficiencies  are  detected  and 
corrected  (Figure  4.4).  The 
earlier  they  are  caught  and 
fixed,  then  the  less  the  costs. 
The  most  expensive  time  to 
fix  quality  errors  is  after  the 
system  is  placed  in  service. 
This  places  a  large  premium 
on  early  detection  and 
correction  of  errors.  Not 
only  are  there  are  large 
direct  future  costs  associated 
with  fixing  errors,  but  as 
well  there  are  large  indirect 
costs  associated  with  loss  of 
business  and  loss  of  image. 


LIFE  CYCLE  PHASE 


Figure  4.4  -  Life  cycle  costs  to  correct  errors 


Assuming  that  the 
costs  of  quality  varies 

linearly  with  the  logarithm  of  the  probability  of  insufficient  quality,  the 
"optimum"  annual  reliability  that  produces  the  lowest  total  of  initial  costs  and 
future  costs  can  be  shown  to  be  [Bea,  1992;  Bea,  1994b]: 


Ps  =  1 


0.4348 
CR  pvf 


(4.1) 


where  CR  is  a  cost  ratio  and  pvf  is  a  present  value  discount  function.  The  cost 
ratio  is  the  ratio  of  the  costs  associated  with  not  realizing  the  desired  level  of 
quality  (CF)  to  the  costs  required  to  reduce  the  likelihood  of  not  realizing  the  de¬ 
sired  level  of  quality  by  a  factor  of  ten  (AQi).  For  a  continuous  discount  function 
and  long-life  structures  (life  >  10  years),  pvf  ~  r'l  where  r  is  the  monetary  net 
discount  rate  (investment  rate  minus  inflation  rate).  For  short-life  structures 
(life  <  5  years),  pvf  =  L,  where  L  is  the  life  in  years. 


As  shown  in  Figure  4.5,  as  the  costs  associated  with  development  of  insuf¬ 
ficient  quality  increases,  the  reliability  must  increase.  As  the  initial  costs  to 
achieve  quality  increases,  the  optimum  reliability  decreases.  The  optimum  reli¬ 
ability  is  based  on  the  quality  that  will  develop  the  lowest  total  initial  and  future 
costs.  The  marginal  probability  of  insufficient  quality  is  double  the  optimum 
quality  probability.  It  is  the  quality  in  which  the  incremental  investment  to 
achieve  quality  equals  the  incremental  future  benefit  (cost  /  benefit  =  1.0). 
Reliability  of  a  marine  structure  element,  component,  and  system  is  a  function  of 
its  criticality  expressed  by  the  product  of  the  cost  ratio  and  present  value  func¬ 
tion. 
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COST  RATIO  x  PVF 


Figure  4.5  -  The  economics  and  likelihood  of  insufficient  quality 


Quality  can  be  a  substantial  competitive  aspect  in  industrial  activities.  If 
a  purchaser  or  user  recognizes  the  benefits  of  adequate  quality  and  is  able  and 
willing  to  pay  for  it,  then  quality  can  be  a  competitive  advantage.  If  a  purchaser 
or  user  does  not  recognize  the  benefits  of  adequate  quality  or  is  unable  or  unwill¬ 
ing  to  pay  for  it,  then  quality  can  be  a  competitive  disadvantage.  Purchaser  / 
owner  quality  goals  must  be  carefully  defined  so  that  uniformity  can  be  devel¬ 
oped  in  the  degrees  of  quality  offered  in  a  product  or  service  sector.  Once  these 
goals  have  been  defined,  then  the  purchaser  /  owner  must  be  willing  to  pay  for 
the  required  quality. 

It  is  important  to  recognize  that  the  society  being  served  by  the  industry 
also  has  a  stake  in  quality.  The  industry  must  have  adequate  profitability  to 
have  adequate  resources  to  invest  in  achieving  adequate  quality.  The  general 
public  that  is  served  by  the  marine  industries  must  be  willing  to  pay  for  the 
quality  that  it  may  demand  [Bea,  1993]. 
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Cost  Based  Durability 


Cost  &  Code  Based  Calibration  of  LRFD 

The  choice  of  a  Safety  Index  (i.e.  probability  of  failure)  to  be  used  in  devel¬ 
opment  of  design  guidelines  is  a  key  issue.  The  following  example  addresses  the 
development  of  design  durability  load  and  resistance  factors  based  on  two  differ¬ 
ent  approaches;  one  is  based  on  the  economics  of  durability  and  the  other  is 
based  on  calibration  with  existing  classification  guidelines. 

For  example,  suppose  for  a  given  class  of  ships  CF  =  $  500  million,  ACi  = 
$25  million,  and  pvf  =  10  (L  =  20  years,  net  discount  rate  =  10  %),  then  based  on 
the  foregoing  economics  based  quality  developments,  Pc  =  2.9  (Pfo  =  2  E-3  per 
year).  If  however  the  ship  owner  argued  that  due  to  insurance  and  other  "pro¬ 
tective  measures"  that  CF  =  $100  million,  then  Pc  =  2.3  (Pfo  =  1  E-2).  A  reliabil¬ 
ity  philosophy  that  was  "weighted"  toward  avoiding  costs  associated  with  failure 
and  initial  costs  could  result  in  increasing  the  likelihood  of  failure  by  a  factor  of 
10.  There  would  be  important  effects  on  the  loading  and  resistance  factors. 

A  second  approach  would  be  to  "calibrate"  the  load  and  resistance  factors 
to  give  the  same  results  as  a  current  "accepted"  Working  Stress  Design  (WSD) 
format  guideline.  Given  a  Working  Stress  Design  (WSD)  format,  the  median 
factor-of-safety,  FS,  can  be  expressed  as  follows: 


R50  /  FS50  ^  S50  (4.2) 

FS50  =  R50  /  S50  (4.3) 

FS50  =  (Bs  /  Br  )  exp  ( (3  c  a  )  (4.4) 

FS50  =  Y50  /  050  (4.5) 


Given  the  previous  example  in  which  Bs  =  1.20,  Br  =  1.44,  Pc  =  3.0,  and  a 
=  0.5,  then  FS50  =  3.73.  Given  that  the  design  loadings  were  based  on  100-year 
conditions: 

FS99  =  FS50  exp  -(2.33  as)  (4.6) 

Thus,  FS99  =  1.36.  Given  a  load  factor  750  =  1.2,  then  based  on  a  "correct" 
pc  =  3.0,  050  =  0.88.  If  however,  the  present  "accepted"  design  guideline  implied 
Pc  =  2.6,  then  FS50  =  3.06  and  FS99  =  1.2.  Given  a  load  factoryso  =  1.2,  then 
050  =  1.0. 
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The  use  of  a  "calibration"  approach  would  produce  a  significant  "error"  re¬ 
sulting  in  an  under-estimate  of  the  load  factor.  Calibration  of  LRFD  factors  to 
existing  codes  will  give  the  "correct"  answer  only  when  the  existing  code  has  in¬ 
corporated  sufficient  levels  of  reliability  and  durability.  The  bias  and  uncertain¬ 
ties  associated  with  the  loading  and  capacity  factors  must  be  correctly  evaluated 
if  there  are  to  be  reasonable  proportioning  of  safety  between  the  loading  and  re¬ 
sistance  factors. 


Examples  of  Cost  Based  Durability  Criteria 

An  example  application  of  these  developments  is  illustrated  in  Figure  4.6 
for  Critical  Structural  Details  (CSD)  in  a  250,000  DWT  ULCC.  The  numbers  of 
fatigue  failures  (through  thickness  fractures)  that  can  be  anticipated  in  a  ship 
hull  structure  during  5  year  periods  throughout  a  service  life  of  20  years  are 
shown.  It  was  assumed  that  the  ship  hull  structure  had  10,000  CSD  whose  fa¬ 
tigue  strength  had  been  uniformly  determined  by  Pd's  ranging  from  1.0  to  3.0  (a 
assumed  =  1.0). 


0  0.25  0.5  0.75  1 

RATIO  OF  SERVICE  TIME  TO  SERVICE  LIFE  (T  /  Ts) 


Figure  4.6  -  Number  of  CSD  fatigue  failures  in  ULCC 
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The  ship  that  had  its  CSD  Pd  =  2.5  had  6  fatigue  failures  during  the  first 
10  years  as  compared  with  the  ship  that  had  its  CSD  Pd  =  1.0  with  203  fatigue 
failures  during  the  same  time  period.  For  fatigue  design  Safety  Indices  between 
1  and  3,  the  number  of  fractures  for  a  20-year  lifetime  ranges  from  less  than  20 
to  in  excess  of  1,000. 


1  1.4  1.8  2.2  2.6  3 


FATIGUE  DESIGN  SAFETY  INDEX 

Figure  4.7  -  Lifetime  (20  year)  costs  in  example  ULCC  hull 
structure  as  function  of  the  fatigue  design  safety  index 


The  foregoing  information  has  been  used  to  estimate  the  total  life-cycle 
costs  associated  with  fatigue  fractures  (Figure  4.7).  It  was  assumed  that  the  in¬ 
spection  process  was  capable  of  detecting  the  through- wall  fractures  that  were 
developed  at  5-year  intervals,  and  that  these  fractures  were  immediately  re¬ 
paired  to  the  initial  condition  (three  IMR  cycles).  It  was  assumed  that  the  initial 
cost  differential  between  designing  and  constructing  for  a  CSD  Pd  =  1.0  to  CSD 

PD  =  3.0  cost  $10  millions.  Further,  it  was  assumed  that  the  total  present  valued 
cost  associated  with  each  fatigue  fracture  was  $10,000  (this  included  inspection, 
repair,  and  out-of-service  costs). 

The  results  indicate  a  fatigue  design  Safety  Index  of  about  P  =  2.0  is  opti¬ 
mum.  Lower  and  higher  initial  cost  fatigue  design  Safety  Index  alternatives  re¬ 
sult  in  higher  total  costs. 
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Corrosion  Durability  Alternatives  Cost  Evaluation 

A  corrosion  durability  alternative  evaluation  can  be  developed  in  a  man¬ 
ner  similar  to  that  for  fatigue  durability.  It  is  assumed  that  the  capacity  of  a 
CSD,  Ru,  can  be  expressed  as: 

Ru  =  Sf  (ti  -  c)  (4.7) 

Sf  is  the  failure  stress  per  unit  width  of  the  CSD,  ti  is  the  initial  thickness  of  the 
CSD,  and  c  is  the  corrosion  wastage.  Note  that  corrosion  allowances  such  as  are 
included  in  some  classification  rules  would  be  incorporated  in  ti.  The  corrosion 
wastage  can  be  expressed  as: 

c  =  Rc  T  (4.8) 

Rc  is  an  average  corrosion  rate  for  a  given  period  of  time,  CSD  location,  and  pro¬ 
tection,  and  T  is  the  corrosion  exposure  time.  For  coated  surfaces,  T  can  be  de¬ 
fined  as  the  time  associated  with  loss  of  effectiveness  of  the  coating.  For  unpro¬ 
tected  surfaces,  T  would  be  referenced  to  the  time  of  initiating  service  of  the 
CSD. 


Let  the  corrosion  or  wastage  limit,  Lc,  be  expressed  as: 

t  c  _  Rc  T 
Lc  ~  ti50  =  ti 

Expressing  the  likelihood  of  a  corrosion  caused  failure,  Pfc,  as: 
Pfc  =  P[ti  -  c  <  tLl 


(4.9) 


(4.10) 


tL  is  the  limiting  plate  thickness  of  the  CSD.  Assuming  lognormally  distributed 
corrosion  and  plate  thickness  variables,  the  corrosion  Safety  Index,  Pc,  can  be 
expressed  as: 


Pc  = 


In  (to  -  Rc  T) 
tL 


slnt 


(4.11) 


The  change  of  the  corrosion  Safety  Index  as  a  function  of  time  after  the 
corrosion  protection  has  lost  its  effectiveness  can  be  expressed  as: 


PcCD  = 


Rc  T 

In  1  (1  ‘  )FS50i } 

slnt 


(4.12) 


The  corrosion  limit  can  be  expressed  as: 
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Lc  = 


exp  (be  CTlnt) 

FS50i 


(4.13) 


clnt  is  the  uncertainty  measure  (standard  deviation  of  the  logarithms)  associated 
with  the  corrosion  rate,  Rc,  the  time  to  corrosion  protection  breakdown,  T,  and 
the  uncertainties  associated  with  determination  of  the  limiting  plate  thickness, 
tL-  FSsoi  is  the  initial  central  factor  of  safety  used  in  design  of  the  CSD. 

Very  large  variabilities  are  associated  with  corrosion  rates  of  CSD  in  vari¬ 
ous  parts  of  tanker  hull  structures.  For  example,  the  corrosion  database  devel¬ 
oped  and  described  in  Bea  [1993]  indicate  olnRc  =  0.5  to  greater  than  1.5. 

For  example,  given  a  corrosion  safety  index  of  Pc  =  2.0  (about  1/100  chance 
of  exceeding  the  prescribed  limit  in  a  given  year),  an  uncertainty  measure  slnt  = 
1.0,  and  a  central  factor  of  safety  of  10,  the  resulting  corrosion  limit  would  be  Lc 
=  26  percent. 

An  understanding  of  the  change  in  the  corrosion  Safety  Index  as  a  func¬ 
tion  of  the  corrosion  exposure  period  is  illustrated  in  Figure  4.8.  This  example 
has  been  based  on  an  initial  CSD  plate  thickness  of  15  mm,  average  corrosion 
rates  of  Rc  =  0.5  to  1.0  mm/year,  a  total  uncertainty  sint  =  1.0,  and  initial  central 
factors  of  safety,  FS,  of  5  to  10.  As  the  corrosion  rate  increases,  the  rate  of  in¬ 
crease  of  the  probability  of  corrosion  failure  (exceeding  a  specified  limit)  in  a 
given  period  increases.  The  initial  factor  of  safety  has  no  effect  on  the  rate  of 
change  of  the  probability  of  failure  as  a  function  of  corrosion  exposure  time. 


CORROSION  EXPOSURE  TIME  (years) 


Figure  4.8  -  Variation  of  corrosion  Safety  Index  as  function  of 
the  exposure  time,  average  corrosion  rate,  and  initial  design 
central  factors  of  safety 
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An  example  application  of  the  foregoing  can  be  developed  as  follows. 
Assume  that  ballast  tank  CSD  have  been  designed  in  a  double  hull  ULCC  with 
an  initial  central  factor  of  safety  of  10.  The  initial  thickness  of  the  CSD  is  15 
mm.  The  expected  (average)  corrosion  rate  during  exposure  of  the  steel  in  these 
tanks  is  0.5  mm/year.  The  total  uncertainty  associated  with  the  corrosion  effects 
is  slnt  =  1.0.  The  total  surface  area  of  the  ballast  tanks  is  400,000  ft^. 

Three  corrosion  durability  alternatives  are  being  considered:  1)  no  initial 
protective  coating  and  cathodic  protection,  2)  a  5-year  expected  life  coating  and 
cathodic  protection  system  for  all  ballast  tank  surfaces,  and  3)  a  10-year  ex¬ 
pected  life  coating  and  cathodic  protection  system  for  all  ballast  tank  surfaces. 
The  corrosion  limit  has  been  defined  so  that  the  minimum  corrosion  Safety  Index 
is  2.0;  Lc  =  25  percent  wastage.  Periodic  surveys  will  be  conducted  to  assure  that 
this  limit  is  detected. 

It  will  be  assumed  that  it  costs  $10  ft^  to  provide  the  5-year  corrosion  pro¬ 
tection  and  $15  ft^  to  provide  the  10-year  corrosion  system  when  the  ship  is 
built.  For  the  5-year  and  10-year  protection  systems,  it  will  cost  $20  ft^  and  $25 
ft^  present  valued  costs,  respectively,  when  the  protection  must  be  renewed. 

The  initial  no  protection  system  will  be  designed  with  a  10  percent  corrosion  al¬ 
lowance  on  the  CSD  that  will  cost  $4,000  per  ton.  The  alternatives  will  be  as¬ 
sessed  for  a  20-year  life. 

In  the  case  of  the  no  initial  protective  coating  system,  the  corrosion  limit 
will  be  expected  to  be  exceeded  in  10  years.  At  this  time,  a  10-year  protection 
system  will  be  installed.  In  the  case  of  the  initial  5-year  protection  system,  the 
corrosion  limit  will  be  expected  to  be  exceeded  in  13  years.  At  this  time,  10-year 
protection  system  will  be  installed.  In  the  case  of  the  initial  10-year  protection 
system,  the  corrosion  limit  will  be  exceeded  in  18  years.  At  this  time,  a  5-year 
protection  will  be  installed. 

The  results  of  this  example  are  summarized  in  Figure  4.9.  The  no  initial 
protection  system  has  the  largest  present  valued  cost.  The  5-year  and  10-year 
protection  systems  have  a  present  valued  total  cost  less  than  half  of  the  initially 
unprotected  system.  There  is  little  difference  between  the  5-year  and  10-year 
protection  systems. 
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Figure  4.9  -  Lifetime  (20  year)  costs  associated  with 
three  alternative  corrosion  protection  systems 


Application 

Suppose  a  ship  owner  is  presented  with  three  durability  options  for  a  new 
ULCC  that  is  intended  for  20  years  of  operation.  Table  4.1  summarizes  the  ini¬ 
tial  costs  (millions  of  U.  S.  dollars)  associated  with  each  of  the  options  including 
the  additional  costs  associated  with  heavier  scantlings  to  increase  the  fatigue 
durability  of  CSD  and  corrosion  protection  in  the  ballast  tanks.  Option  #1  is  de¬ 
signed  to  minimum  Class  durability  requirements  (fatigue  bfD=  1.0  and  no 
coatings  in  the  ballast  tanks)  and  Option  #3  is  designed  to  result  in  very  high 
durability  (fatigue  bfo=  3.0  and  10-year  coatings  in  the  ballast  tanks). 

Option  #1  is  the  minimum  initial  cost  ULCC  and  Option  #3  is  the  highest 
initial  cost  ULCC.  The  initial  cost  of  Option  #3  is  17  %  greater  than  the  lowest 
initial  cost  option. 


Table  4.1  -  Economics  based  evaluation  of  fatigue  and  corrosion 

durability  options 


Option 

Initial 
Cost  with 
coatings 
$  MM 

Present 
Valued 
Fatigue 
Costs 
$  MM 

Present 
Valued 
Corros. 
Costs 
$  MM 

Present 
Valued 
Total 
Costs 
$  MM 

%of 

Option 

#1 

#1 

95 

95 

23 

31 

149 

100 

#2 

100 

104 

27 

10 

131 

88 

105 

111 

15 

10 

136 
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Consideration  of  the  lifetime  durability  costs  indicates  quite  a  different 
picture  of  the  economics.  Even  though  it  initially  cost  $  9  millions  more  than  the 
minimum  cost  option,  Option  #2  results  in  the  minimum  total  present  valued 
lifetime  cost.  Over  a  20-year  operating  period,  the  cost  of  Option  #2  is  88  %  of 
the  minimum  initial  cost  option.  Even  though  designed  and  maintained  to  be 
the  most  durable  option,  Option  #3  results  in  a  higher  lifetime  present  valued 
cost  than  Option  #2.  The  initial  cost  investment  in  durability  is  not  offset  by  the 
reduced  future  maintenance  costs. 


Summary 


Quality  Assurance  (QA)  are  those  practices  and  procedures  that  are  de¬ 
signed  to  help  assure  that  an  acceptable  degree  of  quality  is  obtained.  Quality 
Control  (QC)  is  associated  with  the  implementation  and  verification  of  the  QA 
practices  and  procedures.  Quality  control  is  intended  to  assure  that  the  desired 
level  of  quality  is  actually  achieved.  QA  /  QC  measures  are  intended  to  assure 
that  a  desirable  and  acceptable  reliability  of  the  marine  structure  is  achieved 
throughout  its  life. 

Given  that  quality  goals  have  been  defined,  achieving  these  quality  goals 
is  primarily  dependent  on  people.  Thus,  QA  /  QC  efforts  are  directed  fundamen¬ 
tally  at  assuring  that  human  and  system  performance  is  developed  and  main¬ 
tained  at  acceptable  levels.  Experience  has  adequately  demonstrated  that  most 
problems  associated  with  inadequate  quality  in  marine  structures  are  associated 
with  Human  and  Organization  Errors  (HOE).  Such  errors  can  occur  in  the  con¬ 
cept  development,  design,  construction,  and  operation  life-cycle  activities  of  a 
marine  structure. 

Of  all  of  the  QA  /  QC  measures,  the  most  effective  are  those  associated 
with  prevention.  As  factors  leading  to  lack  of  desirable  quality  are  allowed  to 
become  more  and  more  embedded  in  first  the  design,  then  the  construction,  and 
then  the  operation  of  a  marine  structure,  then  the  more  difficult  they  are  to  de¬ 
tect  and  correct.  Personnel  selection,  training,  and  verification;  the  formation  of 
cohesive  teams  and  encouragement  of  teamwork,  and  the  elimination  of  unnec¬ 
essary  complexity  in  procedures  and  structure  -  equipment  systems  are  exam¬ 
ples  of  effective  QA  /  QC  measures. 

Providing  quality  in  the  design,  construction,  and  operation  of  a  ship  or 
offshore  platform  can  result  in  lower  life-cycle  costs,  be  safer,  and  minimize  un¬ 
realized  expectations.  Quality  can  result  in  significant  benefits.  But,  quality 
costs. 
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Quality  can  be  a  substantial  competitive  aspect  in  industrial  activities.  If 
a  purchaser  or  user  recognizes  the  benefits  of  adequate  quality  and  is  able  and 
willing  to  pay  for  it,  then  quality  can  be  a  competitive  advantage.  If  a  purchaser 
or  user  does  not  recognize  the  benefits  of  adequate  quality  or  is  unable  or  unwill¬ 
ing  to  pay  for  it,  then  quality  can  be  a  competitive  disadvantage. 

Purchaser  /  owner  quality  goals  must  be  carefully  defined  so  that 
uniformity  can  be  developed  in  the  degrees  of  quality  offered  in  a  product  or  in  a 
service  sector.  Once  these  goals  have  been  defined,  then  the  purchaser  /  owner 
must  be  willing  to  pay  for  the  required  quality.  Ultimately,  it  is  the  public  that 
is  served  that  must  pay  the  price  for  quality. 
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Introduction 


One  of  the  primary  tasks  in  this  project  was  to  review  the  literature  on 
HOE  in  structure  design  and  construction.  This  review  included  available 
background  on  the  roles  of  HOE  in  design  and  construction  of  conventional 
buildings  and  foundations,  bridges,  dams,  airframes,  nuclear  power  plants,  and 
offshore  platforms.  In  addition,  literature  regarding  HOE  in  medical  practice 
and  computer  software  development  were  reviewed. 

The  central  theme  that  developed  from  these  reviews  was  consistent.  The 
single  largest  source  of  reliability  problems  associated  with  structures  is  HOE. 
Approximately  80  +  %  of  the  "failures"  of  such  systems  is  due  to  compounded 
HOE.  HOE  occurs  in  all  of  the  life-cycle  phases  including  design,  construction, 
and  maintenance.  In  "passive"  systems,  where  the  majority  of  human  activities 
that  influence  reliability  are  confined  to  the  design  and  construction  phases,  the 
majority  of  HOE  occurs  in  the  design  phase.  In  "active"  systems,  where  human 
activities  are  present  in  all  life-cycle  phases  including  the  long-term  operating 
phase,  the  majority  (approximately  80  %)  of  HOE  occurs  or  is  made  evident  dur¬ 
ing  the  operating  phase.  Lack  of  recognition  of  HOE  is  the  fundamental  reason 
for  the  disparities  between  computed  or  notional  reliabilities  and  actuarial  relia¬ 
bilities. 

Another  important  finding  from  this  review  regarded  quantitative  as¬ 
sessments  of  the  causes  of  HOE  related  failures.  The  review  did  not  identify  one 
source  of  reliable  objective  data  on  HOE  related  design  and  construction  failures. 
The  studies  have  been  sporadic  and  subjective  in  nature.  There  is  no  common 
classification  or  description  of  HOE  in  design  and  construction.  There  has  been 
and  still  is  no  uniform  classifications  of  errors  or  a  uniform  basis  for  identifica¬ 
tion  of  their  causes  and  effects. 
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Congressional  Committee  Findings 


In  the  early  1980's,  there  was  a  dramatic  increase  in  failures  of  structures 
in  the  United  States.  This  lead  to  a  Congressional  committee  to  investigate  the 
failures  and  determine  how  they  could  be  reduced.  The  findings  of  the  commit¬ 
tee  included  the  following  six  factors  to  help  prevent  structural  accidents 
[Committee  on  Science  and  Technology,  1983]: 

1)  improvements  in  the  communications  and  organization  in  the  construc¬ 
tion  industry. 

2)  improvements  in  the  inspection  of  construction  by  the  structural  design 
engineer. 

3)  improvements  in  the  general  quality  of  the  designs. 

4)  improvements  in  structural  connection  design  details  and  shop  draw¬ 
ings. 

5)  improvements  in  the  selection  of  architects  and  engineers. 

6)  timely  dissemination  and  application  of  technical  data. 


American  Concrete  Institute  Survey 


An  extensive  error  survey  was  carried  out  in  1977  by  the  American 
Concrete  Institute  Committee  into  factors  that  influenced  the  failures  of  conven¬ 
tional  concrete  structures  [Fraczek,  1979].  A  questionnaire  was  prepared  to  de¬ 
fine  error  detection,  types  of  errors,  consequences  of  errors,  quality  control,  and 
the  structural  elements  involved. 

Tables  5.1  and  5.2  summarize  the  results  from  the  survey  in  terms  of  the 
times  and  methods  of  error  detection.  Most  of  the  errors  that  are  developed  dur¬ 
ing  design  are  detected  during  construction  and  operations;  few  (less  than  10  %  ) 
are  detected  during  the  design.  This  is  in  contrast  with  the  errors  that  develop 
during  construction,  almost  three-quarters  of  these  errors  are  detected  during 
the  construction  phase.  The  dominant  mode  of  error  detection  is  derived  from 
observations  of  the  structure  itself  (>  90  %);  calculation  and  drawing  checking  is 
not  very  effective. 

In  terms  of  the  time  of  detection  of  errors,  these  results  have  been  con¬ 
firmed  in  a  recent  survey  of  design  and  construction  failures  [Kaminsetzy,  1991] 
(Figure  5.1).  Over  half  of  the  errors  are  detected  during  operations.  Only  2  %  of 
the  errors  are  detected  during  the  planning  and  design  stages. 
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Table  5.1  -  Time  of  detection  of  errors 


Phase 

Errors 

in 

Design 

% 

Errors 

in 

Const. 

% 

Design 

8 

„ 

Construction 

42 

75 

Operation 

50 

25 

Table  5.2  -  Methods  of  error  detection 


Errors  detected  by 

Errors 

in 

Design 

% 

Errors 

in 

Const. 

% 

8 

. 

Construction 

. 

7 

Operations 

92 

93 

■  Planning 
□  Design 

M  Construction 
EH3  Operation 


Figure  5.1  -  Detection  of  errors  in  design  and  construction  of  concrete  structures 
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European  Building  Failures  Study _ 

In  a  survey  of  European  building  failures  [Hauser,  1979],  the  causes, 
sources,  and  detection  possibilities  were  identified.  This  survey  addressed  con¬ 
ventional  steel  and  concrete  buildings.  The  results  are  summarized  in  Tables  5.3 
and  5.4. 

Insufficient  knowledge  and  ignorance  on  the  parts  of  the  design  engineer 
and  contractor  are  responsible  for  the  majority  of  failures.  In  terms  of  numbers 
of  failures,  the  contractor  is  responsible  for  the  majority  of  failures,  however  in 
terms  of  cost,  the  engineer  is  responsible  for  the  majority  of  failures. 

Hauser's  survey  and  assessment  indicates  that  the  majority  of  errors 
could  be  detected  with  more  effort  expended  in  checking  during  the  planning  / 
concept  development  stage.  A  most  important  finding  is  that  the  majority  of  vio¬ 
lations  in  planning,  construction,  or  operation  are  intentional  violations  of  gen¬ 
eral  rules  of  procedure. 


Table  5.3  -  Causes  of  failure  of  conventional  building  structures 


Causes 

Errors 

in 

Design 

% 

Errors 

in 

Const. 

% 

insufficient  knowledge 

36 

14 

reliance  on  others 

9 

5 

underestimated  influences 

16 

11 

error 

13 

4 

negligence 

14 

54 

unknown  situations 

7 

3  ! 

other 

5 

9 

Table  5.4  -  Sources  of  errors  in  conventional  building  structures 


Sources  of  Errors 

number 

cost 

% 

% 

Engineering 

28 

41 

Construction 

33 

17 

Engineering  &  Constructor 

11 

20 

Architect 

8 

1  1 

Owner  /  user 

5 

13 

Others 

15 

8 
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Hauser's  conclusions 
regarding  the  sources  of 
errors  were  confirmed  by 
Kaminetzky  [1991]  (Figure 
5.2).  Kaminetsky  also 
addressed  conventional  build¬ 
ing  structures.  These  results 
indicate  that  well  over  50  % 
of  the  errors  occur  during  the 
engineering  phase  of 
planning  and  design  (total  58 
%). 


38% 


57% 


■  Planning 
□  Design 
H  Construction 
El  Operation 


In  a  review  of  212 
cases  in  which  engineering 
was  responsible  for  the  fail¬ 
ure  of  structures  (Figure  5.3), 
Matousek  [1977]  identified 
that  insufficient  knowledge 
was  the  single  predominant 
cause  (36  %).  Note  that 
negligence  is  a  close  second 
(27  %). 

In  a  similar  review  of 
261  cases  in  which 
construction  was  responsible 
for  the  failure  of  conventional 
building  structures  (Figure 
5.4 ),  Matousek  [1977] 
identified  that  negligence  was 
the  single  predominant  cause 
(58  %). 


Figure  5.2  -  Occurrences  of  errors  in  design  and 
construction  of  structures 


10% 


■  Insufficient 
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Figure  5.3  -  Engineering  causes  of  structure 
failures 


Hauser's  conclusions 
regarding  the  causes  of 
building  structural  failures 
were  confirmed  by  Walker 
[1980]  (Table  5.5). 
Engineering  errors  (loadings, 
structural  behavior, 
calculations,  instructions)  are 
responsible  for  54  %  of  the  to¬ 
tal  number  of  causes  of 
building  structure  failures. 
The  majority  of  engineering 
errors  (61  %)  are  due  to 
errors  in  defining  the 
loadings. 


7% 


11% 


■  Insufficient 
knowledge 

□  Reliance  on 
Others 

U  Underestimate 
influences 

□  Negligence 

■  Other 


Figure  5.4  -  Construction  causes  of  structure 
failures 


57 


Role  of  Human  Error  In  Reliability  of  Marine  Structures 


Table  5.5  -  Primary  causes  of  building  structure  failures 


Cause 

% 

Ignorance  of  Loadings 

33  | 

Ignorance  of  structural  behavior 

10 

Mistakes  in  calculations  /  drawings 

7 

Inadequate  instructions  /  requirements 

4 

Ignoring  instructions  /  requirements 

9 

Wrong  fabrication  /  erection 

13 

Misuse,  abuse 

7 

Random  variations 

10 

Other 

7  I 

The  European  information  developed  by  Matousek  and  Schneider  [1977, 
1979]  was  based  on  failure  dossiers  from  insurance  companies,  published  re¬ 
ports,  and  personal  information  from  engineering  firms  and  contractors.  The  fol¬ 
lowing  lists  some  of  the  primary  conclusions  from  their  study: 

1)  Most  of  the  damage  occurs  during  construction  due  to  poorly  planned 
construction  factors  (erection,  assembly). 

2)  Errors  in  planning  lead  to  a  larger  amount  of  structure  and  equipment 
damage  while  the  consequences  of  errors  in  construction  are  more  se¬ 
vere  with  respect  to  injuries. 

3)  The  cause  of  failures  is  predominantly  due  to  human  errors;  about  75  % 
of  the  instances  of  damage  and  90  %  of  the  costs  of  damage  are  due  to 
human  error. 

4)  About  45  %  of  failures  are  due  to  defects  in  design,  49  %  due  to  con¬ 
struction,  and  6  %  due  to  improper  use  and  inadequate  maintenance. 

5)  A  large  proportion  of  the  mistakes  leading  to  failures  could  have  been 
detected  by  adequate  checking  by  the  person  next  involved  in  the  engi¬ 
neering  and  construction  processes. 

6)  Most  (32  %)  of  the  mistakes  could  be  detected  by  additional  control;  an 
additional  33  %  and  17  %  of  the  mistakes  could  be  detected  during  the 
planning  and  construction  stages,  respectively. 

7)  Additional  inspection  and  checking  during  planning,  design,  and  con¬ 
struction  is  the  most  efficient  method  of  error  control. 
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Recent  U.  S.  Structural  &  Construction  Failures 


Eldukair  and  Ayyub  [1991]  reviewed  a  total  of  604  structural  and 
construction  failures  in  the  U.  S.  during  the  period  of  1975  - 1986.  The  survey 
was  based  on  information  gathered  from  the  Engineering  News  Record  (ENR) 
during  this  time  period.  ENR  reported  only  on  selected  major  failure  cases  and 
the  failure  causes  that  were  studied  were  caused  by  variation  within  and 
departure  from  common  engineering  practices.  Most  of  the  failure  cases  were 
related  to  commercial  buildings,  bridge,  and  residential  building  projects. 

The  sources  of  error  in  the  structure  failures  were  mainly  associated  with 
technical  errors.  Seventy  eight  percent  of  the  structural  failures  cases  indicated 
that  technical  errors  were  the  dominant  source  of  error.  Technical  errors  in 
design  and  construction  were  about  equal  contributors  to  the  failures.  Technical 
errors  in  operations  had  about  half  the  incidence  of  those  in  design  and 
construction. 

Forty  percent  of  the  failures  involved  management  errors  (the  total 
exceeds  100  %  due  to  multiple  causes  or  contributions  to  the  failures). 
Management  errors  occurred  primarily  in  work  responsibilities  (30  %  of  failures) 
and  in  communications  (17  %  of  failures). 

The  distribution  of  failure  cases  with  respect  to  the  sources  of  error  by 
participant  are  summarized  in  Table  5.6.  The  structure  designer  was  involved  in 
almost  50  %  of  the  failures.  The  structure  constructor  was  involved  in  almost  60 
%  of  the  failures. 

Table  5.7  summarizes  the  distribution  of  failure  causes  relative  to  human 
behavior  as  defined  by  Eldukair  and  Ayyub  [1991].  Insufficient  knowledge,  lack 
of  proper  training,  underestimation  of  influence,  and  carelessness  were 
dominant  contributors  to  the  failures. 


Table  5.6  -  Participants  in  Table  5.7  -  Failure  Causes 

structure  errors 


Description  of  human 
behavior 

Failure 

Cases 

(%) 

Insufficient  knowledge 

66.7 

Lack  of  training 

57.3 

Lack  of  foresight 

33.0 

Lack  of  authority 

45.4 

Reliance  on  others 

29.0 

Underestimation  influ. 

72.2 

Negligence,  carelessness 

82.0 

Unknown  situation 

33.3 

Lack  of  communication 

37.1 

Participant 

Failure 

Cases 

(%) 

Project  architect 

3.0 

Structural  designer 

48.2 

Resident  Engineer 

31.1 

Inspector 

27.6 

Contractor  (staff) 

3.8 

Contractor 

59.6 

(workmen) 

17.4 

Operator 

2.8 
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Table  5.8  summarizes  the  primary  causes  or  initiating  errors  in  the 
structure  failures.  In  design,  inadequate  loading  analyses  and  inadequate 
design  of  connections  were  both  initiating  causes  in  almost  50  %  of  the  failures. 
Poor  construction  assembly  procedures  were  present  in  more  than  50  %  of  the 
failures. 

Table  5.9  summarizes  the  secondary  or  contributing  (or  compounding) 
causes  of  structure  failures.  Environmental  effects  (bad  weather)  was  present  in 
50  %  of  the  failures.  Lack  of  supervision,  improper  communication,  and 
foreseeable  deterioration  were  each  present  in  about  one-third  of  the  failures. 


Table  5.8  -  Primary  causes 


Table  5.9  -  Secondary  causes 


Description 

Failure 

Cases 

(%) 

Inadequate  loads 

45.2 

Inadequate  connections 

47.0 

Reliance  on  construction 

1.8 

accuracy 

Errors  in  design  calcs. 

2.5 

Unclear  contracts 

23.5 

Contravention  of 

21.8 

instructions 

Complexity  of  project 

1.2 

system 

Poor  assembly  proc. 

54.3 

Unforseeable 

7.1 

No  information 

15.5 

Description 

Failure 

Cases 

(%) 

Lack  of  engineering. 

8.1 

responsibilities 

Environmental  effects 

49.0 

Poor  mat.  /  equip,  use 

23.5 

Lack  of  engineering 

0.9 

specialization 

Improper  workmanship 

7.0 

Lack  of  safety  training 

1.7 

Lack  of  work  coord. 

7.1 

Lack  of  supervision 

36.6 

Improper 

33.3 

communication 

Application  of  new  tech. 

1.2 

Forseeable  deterioration 

28.3 

No  information 

34.0 

Summary  of  Building  Failures  Studies 


As  a  summary  of  building  failures  studies  that  were  reviewed  diming  this 
project,  Table  5.10  summarizes  the  occurrence  of  errors  that  are  developed  in  the 
life-cycle  of  conventional  building  structures  by  the  particular  cycle  in  which  the 
error  occurs.  The  column  indicated  as  "other"  includes  cases  where  failure  could 
not  be  attributed  clearly  to  any  one  phase. 

The  results  from  the  various  surveys  are  reasonably  consistent.  The  ma¬ 
jority  of  the  results  indicate  that  a  majority  of  errors  occur  in  the  design  and 
construction  phases  with  there  being  about  an  equal  split  between  these  two 
phases.  The  operating  phase  occurrence  of  errors  is  relatively  low  in  most  cases. 
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Table  5.10  -  Summary  of  occurrence  of  errors  in  building  structures 


Reference 

Design 

% 

Construction 

% 

Operation 

% 

Other 

% 

Matousek  [1982] 

45 

49 

8 

2 

Yamamoto,  Ang  [1982] 

36 

43 

21 

Rackwitz,  Hillemeir  [1983] 

46 

30 

23 

1 

Melchers,  et  al.  [1983] 

55 

24 

21 

Fraczek  [1979] 

51 

49 

Allen  [1979] 

51 

49 

Hadipriono  [1985] 

19 

27 

33 

20 

Hauser  [1979] 

37 

35 

5 

23 

Gonzales  [1985] 

29 

59 

12 

Eldukair,  Ayyub  [1991] 

51 

57 

31 

4 

Table  5.11  summarizes  the  identified  causes  of  failures  of  conventional 
buildings  derived  from  two  studies.  Again,  the  results  from  these  two  studies 
are  reasonably  consistent  in  their  indications  of  the  causes  of  errors.  Insufficient 
knowledge  is  the  primary  cause  followed  by  negligence  and  carelessness. 
Melchers  [1983]  notes  that  calculation  blunders  in  design  are  only  a  minor 
source  of  error.  These  are  usually  detected  and  corrected  in  internal  or  self 
checking.  The  studies  also  indicate  that  preparation  and  interpretation  of  design 
drawings  and  contract  documents  are  not  a  major  source  of  error. 


Table  5.11  -  Causes  of  errors  in  design  and  construction  of  building  structures 


Reference 

Negligence, 

carelessness 

% 

Insufficient 

Knowledge 

% 

Mistakes 

% 

Reliance  on 
others 

% 

Other 

sources 

% 

Matousek 

[1982] 

35 

38 

9 

6 

12 

Melchers, 
et  al.  [1983] 

24 

52 

8 

2 

13 

Eldukair, 

Ayyub 

[1991] 

82 

67 

29 
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Fundamental  misconceptions  regarding,  loadings,  structural  behavior  and 
lack  of  attention  to  joint  and  supporting  conditions  appears  to  be  the  most 
serious  source  of  design  error  [Melchers,  1983].  Often  there  are  early  warning 
signs  or  precursors  for  failures  in  either  the  design  or  construction  processes,  but 
often  they  are  either  not  recognized  or  ignored  [Melchers,  1983]. 

One  might  expect  construction  to  be  the  dominant  phase  in  which  human 
errors  occur.  The  results  of  the  surveys  do  not  bear  this  out.  Separation  of  de¬ 
sign  and  construction  activities  [Flint,  Quinion,  1978],  diffusion  of  responsibility 
in  the  construction  process  have  created  significant  communication  problems 
and  resulted  in  many  of  the  errors  in  construction  [Flint,  Quinion,  1978], 

In  a  recently  published  study  of  buildings  that  failed  during  the 
Northridge  California  earthquake  of  17  January  1994,  Krawinkler  [1994]  ob¬ 
served  that  no  recently  completed  building  received  a  clean  bill  of  health  and  he 
posed  the  question: 

"Can  we  as  engineers  be  satisfied  with  the  state  of  knowledge 
available  to  practitioners  with  the  level  of  protection  implied  by  code 
design,  and  with  the  implementation  process  used  in  design  and 
construction ?" 

In  reply,  Krawinkler  proposed  that  professional  activities  needed  to  be 
improved  in  five  primary  areas: 

1)  Improved  knowledge  -  develop  improved  structural  analysis  and 
design  procedures  and  develop  socioeconomic  models  that  tell  engineers 
how  to  invest  limited  resources  more  effectively. 

2)  Better  quality  control  -  better  understanding  and  interaction 
between  owners,  architects,  engineers,  and  contractors. 

3)  Better  codes  -  codes  need  to  safeguard  against  weak  links  in  the  load 
paths  to  ensure  a  safe  transfer  of  the  maximum  expected  loads  and  there 
needs  to  be  design  verification  recognizing  inelastic  behavior  and 
incorporation  of  all  elements  that  attract  loads.  Codes  should  provide 
criteria  for  damage  control. 

4)  Better  code  compliance  -  violations  of  code  requirements  need  to  be 
stopped. 

5)  Better  education  -  structural  engineers  need  continuing  education 
and  equally  as  important  education  is  needed  for  the  public,  owners  and 
lenders,  and  other  professionals. 

These  observations  have  direct  applicability  to  design  and  construction  of 
ship  structures. 
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Errors  in  Structural  Engineering _ _ 


In  his  review  of  errors  in  structural  engineering,  Brown  [1988]  draws  the 
following  conclusions  regarding  classifications  of  errors: 

1)  Errors  cannot  be  eliminated  and  only  a  small  proportion  can  be  identi¬ 
fied  prior  to  construction. 

2)  Engineers  and  contractors  are  responsible  for  most  errors.  Those  of  en¬ 
gineers  result  from  omissions  in  professional  preparation  and  experi¬ 
ence  of  individuals,  while  those  of  contractors  result  from  ignorance, 
neglect,  and  thoughtlessness. 

3)  Errors  are  largely  evident  as  violations  of  accepted  professional  rules, 
codes,  and  paradigms. 

4)  Multiple  errors  are  usually  required  to  produce  failures. 

Brown  [1988]  draws  the  following  conclusions  regarding  the  causes  of 
errors: 

1)  Poor  training  and  pay  of  field  inspectors. 

2)  Inadequate  preparation  and  review  of  contract  and  shop  drawings. 

3)  Breakdown  or  misinterpretation  of  communications  between  the  de¬ 
sign-construction-operation  communities. 

4)  Lack  of  professional  design  and  construction  experience,  especially 
when  novel  structures  are  needed. 

5)  Complexity  of  codes  and  specifications  leading  to  misinterpretation  and 
misapplication. 

6)  Unwarranted  belief  in  calculations  and  specified  extreme  loads  and 
properties. 

7)  Frequent  personnel  changes. 

8)  Compressed  design  -  construction  times. 
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Error  Prone  Structures 


Pugsley  [1973]  studied  the  factors  that  background  a  large  variety  of  fail¬ 
ures  of  both  conventional  and  innovative  structures.  As  a  result  of  this  study, 
Pugsley  advanced  eight  parameters  of  significance  in  promoting  or  causing  fail¬ 
ures: 


1)  The  work  involves  new  or  unusual  materials. 

2)  The  construction  methods  are  new  or  unusual. 

3)  The  structural  geometry  or  form  are  new  or  unusual. 

4)  The  design  and  construction  team  is  not  experienced  and  well  orga¬ 
nized. 

5)  The  engineers  are  not  informed  thorough  an  adequate  research  and  de¬ 
velopment  background. 

6)  The  industrial  -  labor  condition  and  climate  are  not  stable. 

7)  The  financial  climate  and  work  funding  are  not  adequate. 

8)  The  political  climate  is  not  benign. 

Pugsley  suggested  that  the  intensity  of  the  human  error  control  measures 
should  depend  on  the  conditions  surrounding  the  design  and  construction  pro¬ 
cesses.  Pugsley  utilized  the  foregoing  eight  parameters  to  estimate  a  measure 
called  the  error  proneness. 

In  his  review  of  the  Pugsley  error  proneness  method,  Allen  [1984]  con¬ 
tended  that  the  method  does  not  help  in  the  detection  and  correction  of  errors. 
The  difficulty  was  that  the  weights  assigned  to  the  eight  factors  before  a  failure 
by  the  people  working  on  a  project  will  differ  greatly  from  those  assigned  by  ex¬ 
perts  either  during  the  project  or  after  a  failure. 

Fox  [1982]  expanded  Pugsley’s  idea  to  develop  a  numerical  estimate  of  the 
failure  probability  from  observable  attributes  of  the  structure.  He  listed  the 
conditions  that  promote  errors  in  design  and  construction  as  summarized  in 
Table  5.12.  Each  of  the  eight  design  and  construction  conditions  were  given  a 
rating  from  low  to  high  with  a  numerical  weight  based  on  his  evaluation  of 
failures  that  had  been  promoted  by  each  condition. 
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Table  5.12  -  Calculation  of  gross  error  factor 


Design  Conditions 

Low 

Med. 

Low 

Aver 

age 

Med. 

High 

High 

•  Thoroughness  of  preliminary  investigations 

•  Experience  and  ability  of  engineers 

•  Familiarity  of  the  engineers  with  the  structure 
type  and  materials 

•  Availability  of  time,  money,  and  political  assis¬ 
tance 

•  Thoroughness  of  verification  and  checking 

•  Relations  between  the  engineers  and  contractors 

•  Organization  of  the  design  team,  communica¬ 
tions,  and  responsibilities 

•  Availability  of  design  references  and  the  simplic¬ 
ity  of  the  structure 

Construction  Conditions 

•  Clarity,  completeness  and  accuracy  of  specifica¬ 
tions  and  drawings 

•  Experience  and  ability  of  the  contract 

•  Familiarity  of  the  contractor  with  the  method  of 
construction  or  the  type  of  structure 

•  Availability  of  time,  money,  equipment,  or  politi¬ 
cal  assistance 

•  Thoroughness  of  inspection,  QA,  QC 

•  Relations  between  the  engineer,  owner,  and  con¬ 
tractor 

•  Organization  of  the  construction  team 

•  Labor  relations  (attitudes  of  the  workers) 
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Errors  in  Geotechnical  Engineering 


As  a  result  of  a  review  of  more  than  200  foundation  failures,  Sowers 
(1993)  indicated  that  the  majority  of  failures  were  due  to  either  rejection  of  tech¬ 
nology  or  ignorance  (Figure  5.5);  only  12  %  of  the  failures  were  due  to  lack  of 
technology. 

The  author  found  these  results  to  be  particularly  interesting  as  they  might 
apply  to  the  design  of  ship  structures.  These  two  areas  of  engineering  have 
much  in  common.  In  both  areas  the  loadings  are  extremely  difficult  to  determine 
accurately,  the  critical  properties  and  performance  characteristics  of  the  system 
are  difficult  to  determine  and  analyze  accurately,  the  engineering  procedures  are 
complex  and  not  easily  reduced  to  design  guidelines  or  codes,  and  both  areas  are 
subject  to  wide  variety  of  organizational  influences  and  pressures. 


12% 


■  Ignorance 

□  Rejection  of 
Technology 

M  Lack  of 
Technology 


Figure  5.5  -  Causes  of  foundation  failures 


Sowers  suggests  a  number  of  approaches  to  reduce  the  88  %  of  geotechni¬ 
cal  failures  that  are  due  to  ignorance  and  rejection  of  technology.  He  suggests 
continuing  and  intensifying: 

"weeding  out  the  ignorant  and  incompetent  by  better  enforcement  of 
engineering  registration  laws,  increasing  the  awareness  of  engineers 
of  their  limitations  in  making  decision  involving  both  specialized 
and  multi-disciplinary  knowledge,  and  to  add  to  the  knowledge  of 
practicing  engineers  through  required  continued  education  as 
technology  develops. " 
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Sowers  observes  that  reducing  the  proportion  of  failures  caused  by  reject¬ 
ing  or  failing  to  use  current  technology  is  very  difficult.  He  then  offers  the  follow 
comments  about  this  problem: 

"It  essentially  is  faulty,  absent,  or  malicious  communication. 
Communication  is  a  skill.  It  can  be  learned  through  education,  both 
during  the  engineer's  basic  training  and  by  continuing  education.  It 
must  be  developed  by  practice. " 

"Balancing pressures  is  the  most  difficult  challenge... The  overall 
pressures  of  time,  money,  and  the  total  environment  effect  each 
project  in  a  different  way.  Sometimes  they  motivate  those  persons 
that  apply  pressure,  sometimes  they  act  in  directly  de  motivating, 
distracting,  or  inhibiting  the  engineer.  Of  these,  time  and  money  are 
major  influences  on  technology. " 

"An  innovative  responsible  engineer  is  the  most  important  force  in 
reducing  failures.  Our  challenge  in  minimizing  failures  is  instilling 
that  sense  of  responsibility  in  engineering  students  and  enhancing 
that  responsibility  among  our  professional  colleagues. " 


Control  Approaches 


There  are  two  fundamental  approaches  to  HOE  problems  in  design  and 
construction.  The  first  is  to  limit  the  occurrence  of  HOE.  The  second  is  to  re¬ 
duce  the  impacts  of  HOE. 

Essunger  and  Ostlund  [1983]  discuss  two  types  of  control;  external  and  in¬ 
ternal.  External  control  was  shown  to  have  the  advantage  of  being  less  depen¬ 
dent  on  such  factors  as  the  conditions  of  work,  the  working  situation,  and  the 
economic  result  of  the  work.  Internal  control  was  shown  to  have  the  advantage 
of  being  executed  by  persons  who  often  have  a  greater  knowledge  of  the  charac¬ 
ter  of  the  work  and  who  are  aware  of  the  kinds  of  problems  that  can  be  expected. 

Essunger  and  Ostlund  [1983]  indicated  that  gross  errors  are  relatively 
rare  and  it  is  generally  not  possible  to  discover  them  by  a  random  check.  Their 
work  indicates  that  checking  should  be  directed  toward  discovering  errors  which 
would  lead  to  a  failure  which  has  severe  consequences.  They  suggested  that  in¬ 
dependent  checking  should  be  performed  at  key  decision  points  in  the  project, 
especially  where  responsibility  for  the  project  changes  hands. 

The  study  by  Hillemier  [1982]  indicates  that  the  success  of  the  realization 
of  major  projects  depends  more  on  the  application  of  management  rules  than  on 
exactly  executed  technical  details.  His  work  resulted  in  the  following  recom¬ 
mendations: 

1)  Information  on  damage  and  failure  statistics  should  be  developed  and 

distributed  to  promote  a  better  understanding  of  problems. 
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2)  Basic  decisions  on  the  type  of  the  structural  systems  are  fundamentally 
made  in  the  preliminary  design  stage;  experience  shows  that  errors  estab¬ 
lished  at  the  initial  stage  are  hardly  ever  corrected  later. 

3)  Activities  affecting  quality  should  be  performed  within  an  organization 
structure  which  has  clearly  defined  responsibilities  and  authorities.  It  is 
critical  to  minimize  information  obstacles. 

4)  Ensuring  the  quality  in  engineering  first  requires  an  identification  of 
critical  areas  in  planning  and  execution,  followed  by  the  specification  of 
priorities  for  their  treatment. 

5)  Designers  should  be  taught  to  think  not  only  in  terms  of  design  limit 
states  and  load  combinations,  but  also  in  terms  of  hazard  or  failure  sce¬ 
narios. 

Lind  [1986]  suggested  that  education,  personnel  selection,  task  complexity 
reduction,  quality  control  procedures,  and  the  legal  framework  are  all  important 
in  reducing  human  error,  but  not  all  are  equally  effective.  Lind  concluded  that 
there  is  virtually  no  objective  data  on  the  effectiveness  of  human  error  control 
measures. 

Nowak  and  Lind  [1985]  indicated  that  effective  control  of  human  errors 
requires  a  knowledge  of  the  state  of  the  system  and  a  practical  contingency  plan 
of  action  for  each  state.  They  proposed  an  event  tree  model  to  represent  the  an¬ 
ticipated  performance  of  structures  during  design,  construction,  and  operations. 
A  scenario  was  defined  as  a  path  in  the  event  tree  leading  from  the  initial  to  the 
final  state.  They  contended  that  the  designer  should  consider  all  scenarios  that 
end  in  failure  of  the  structure,  and  by  suitable  design,  should  adjust  the  proba¬ 
bilities  so  that  the  probability  of  failure  is  acceptable.  Nowak  and  Lind  con¬ 
cluded  that  structures  and  their  components  can  be  placed  into  categories  with 
regard  to  proneness  to  errors  and  sensitivity  to  errors.  The  control  measures 
were  directed  to  the  components  and  steps  in  the  design  process  that  had  the 
greatest  effects  on  the  likelihood  of  failure. 

Nessim  [1983]  applied  the  decision  tree  approach  to  the  problem  of  human 
error  control.  Nessim  concluded  that  the  optimal  course  of  action  is  that  which 
gives  the  maximum  expected  utility.  This  approach  requires  that  each  system  be 
treated  as  a  unique  system  and  studied  in  great  detail. 

Nowak  and  Lind  [1985]  suggested  the  following  procedure  to  identify 
where  and  how  to  place  human  error  controls: 

1)  Develop  the  structural  model,  identify  the  parameters  and  limit  state 
functions,  estimate  the  distribution  functions  of  the  parameters. 

2)  Generate  possible  scenarios  of  departure  from  the  developed  model. 

3)  Calculate  the  reliability  for  each  scenario. 
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4)  Calculate  the  overall  system  reliability,  including  human  errors  and  the 
expected  value  of  the  reliability  for  various  scenarios  with  the  correla¬ 
tion's. 

5)  Identify  the  most  sensitive  parts  of  the  structure  and  the  design  pro¬ 
cess,  concentrate  control  efforts  on  the  items  that  have  a  significant  effect 
on  the  overall  reliability. 

Nowak  and  Carr  [1985]  concluded  that  sensitivity  functions  and  estimates 
of  the  frequencies  for  the  corresponding  errors  can  be  used  as  criteria  for  select¬ 
ing  error  control  measures.  This  fits  the  control  procedures  to  the  important 
problems  thus  producing  more  efficient  control.  The  objective  is  to  design  control 
systems  to  limit  those  errors  which  are  the  most  consequential. 


Checking  Models  in  Structural  Design 


During  the  period  1982  through  1987,  Melchers  and  Stewart  conducted  a 
series  of  studies  that  addressed  the  efficiency  of  checking  models  in  structural 
design.  Their  studies  addressed  checking  performed  on  three  "levels":  (1)  self¬ 
checking,  (2)  independent  detailed  design  checking,  and  (3)  overview  checking. 

Their  studies  were  based  on  questionnaires  that  were  completed  by  con¬ 
ventional  building  design  firms  in  Australia.  Their  studies  were  designed  pri¬ 
marily  to  address  errors  of  commission.  Errors  of  commission  were  those  that 
involved  errors  in  the  performance  of  design  tasks  including  evaluation  of  design 
loadings  and  sizing  structural  members. 

Errors  of  omission  involving  a  failure  to  perform  a  task  were  shown  to  be 
substantially  more  difficult  to  catch  and  correct  than  errors  of  commission;  the 
checking  efficiency  was  more  than  an  order  of  magnitude  lower  for  errors  of 
omission. 

Regarding  self-checking,  their  studies  showed  that  self-checking  detects 
only  the  small  or  minor  errors  that  occur  in  calculations.  Self-checking  was  not 
effective  in  catching  errors  due  to  misconceptions,  oversights,  or  misunderstand¬ 
ings.  The  results  of  deliberate  and  conscious  design  decisions,  once  taken,  ap¬ 
pear  seldom  to  be  doubted  by  the  designer  or  design  team.  The  survey  demon¬ 
strated  that  the  detection  rate  for  self-checking  for  small,  or  minor,  initial  error 
magnitudes  is  much  greater  than  for  larger  initial  error  magnitudes.  Quoting 
from  their  study  conclusions: 

"It  might  be  concluded  that  (as  a  group)  designers  tend  to  be  more 
concerned  with  relatively  minor  details  and  technicalities  and  that 
they  tend  to  ignore  larger  errors....the  present  results  appear  to 
contradict  conventional  wisdom,  it  being  commonly  assumed  that 
larger  errors  are  more  detectable. " 
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Their  study  developed  some  interesting  data  regarding  the  likelihood  of 
calculation  errors  given  a  sequence  of  calculations.  The  data  indicates  that  the 
larger  the  number  of  steps  involved  in  the  calculations,  then  the  more  likely  is 
an  error  (Figure  5.6).  Data  were  also  developed  regarding  the  likelihood  of  er¬ 
rors  for  different  types  of  design  tasks.  These  are  summarized  in  Table  5.13. 

In  their  study  of  the  effectiveness  of  independent  detailed  design  checking, 
two  factors  influencing  checking  effectiveness  were  isolated  as  being  of  par¬ 
ticular  interest.  These  were  total  time  for  checking  (and  therefore  checking  ef¬ 
fort)  and  error  magnitude.  The  errors  included  in  the  survey  included  calcula¬ 
tions,  table  look-up,  transfer  of  information,  code  look-up,  and  loading  directions. 


Regarding  checking  time,  their 
work  indicated  that  an  S- shaped 
learning  curve  was  appropriate 
(efficiency  of  checking  versus  time). 
The  initial  growth  was  attributed  to 
the  designer  attempting  to 
understand  the  design  concept  and 
procedure.  This  was  followed  by  a 
period  involving  checking  of  each 
micro-task  for  any  errors,  and  in 
which  many  of  the  errors  were 
detected.  Finally,  the  designer  would 
reach  the  stage  of  diminishing 
returns,  resulting  in  a  reduced  rate  of 
checking  efficiency.  The  S-shaped 
learning  curve  would  be  different  for 
different  types  of  design  tasks  and 
errors. 


1  2  3  4  5  6  7  8 

Number  of  Calculations 


Figure  5.6  -  The  rates  of  errors  based  on  a 
sequence  of  design  calculations 


Table  5.13 

Design  activity  error  rates 


In  general,  as  checking  time 
increased,  the  probability  of  detection 
of  the  errors  increased.  For  the 
particular  design  tasks  evaluated,  at  a 
checking  time  of  30  to  40  minutes,  the 
checking  efficiency  increased  to 
approximately  80  %. 


Regarding  error  magnitude,  the 
results  indicated  that  larger  errors 
were  more  easily  detected  than 
smaller  ones.  At  an  error  magnitude 
of  200  %,  the  checking  efficiency 
(probability  of  detection)  was  in  the  range  of  60  %  to  80  %. 


Error 

Rate 

Code 

interpretations 

0.0150 

Rankings 

0.0135 

Table  look-ups 

0.0126 

Loading  coefficients 

0.1333 

Loading  directions 

0.1000 

Loading  reduction  f 
tors 

ic-  0.8000 

Loading 

combinations 

0.4167 

In  their  study  of  overview  checking,  some  105  practicing  engineers  were 
surveyed.  Decisions  as  to  the  adequacy  of  11  simple  structural  designs,  all  sim¬ 
ply  supported  beam  members,  each  with  a  different  loading  configuration,  were 
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evaluated.  Based  on  the  results,  the  probability  of  predicting  whether  a  member 
design  is  safe  is  not  a  function  of  experience.  The  results  indicated  that  if  a  pro¬ 
posed  member  design  is  deemed  safe,  then  experienced  engineers  tend  to  be 
more  efficient  in  assessing  whether  the  member  is  oversized  or  not. 

The  relationship  between  an  engineer's  experience  and  the  safety  of  a  de¬ 
signed  member  is  of  particular  interest.  It  has  been  shown  by  Walker  [1980] 
that  lack  of  experience  is  a  major  contributing  cause  in  actual  cases  of  structural 
failures.  However,  an  analysis  of  structural  failures  by  Blockley  [1977]  shows 
that  while  the  designer's  experience  is  a  factor,  its  relative  importance  when 
compared  with  other  causes  of  failure  is  very  low.  The  study  by  Ingles  and 
Nawar  [1983]  showed  that  engineers  place  great  weight  on  experience  for  error 
reduction.  The  results  of  the  work  by  Melchers,  et  al.  [1989]  indicate  that  such  a 
perception  may  be  false. 


Nuclear  Power  Plants 


A  Probabilistic  Risk  Analysis  (PRA)  approach  to  the  evaluation  of  nuclear 
power  plants  has  been  developed  by  Swain  and  Guttmann  (1983)  for  the  Nuclear 
Regulatory  Commission  (NRC).  This  approach  was  developed  over  about  a  10 
year  period.  It  continues  to  be  further  detailed  and  developed  [Luckas,  et  al., 
1993;  Barriere,  et  al.,  1993]. 

The  method  developed  by  Swain  and  Guttman  was  identified  as  THERP 
(Technique  for  Human  Error  Rate  Prediction).  The  THERP  procedure  included 
the  following  steps: 

1)  Define  the  system  failure  of  interest,  then  determine  the  system  func¬ 
tions  that  may  be  influenced  by  human  errors  and  for  which  error 
probabilities  are  to  be  estimated. 

2)  List  and  analyze  the  human  related  operations. 

3)  Estimate  the  relevant  error  probabilities. 

4)  Estimate  the  effect  of  human  errors  on  the  system  failure  events. 

5)  Recommend  changes  in  the  system  and  recalculate  the  system  failure 

probabilities. 

The  PRA  is  conducted  using  Event  Trees.  This  approach  will  be  further 
discussed  and  detailed  in  Chapter  8.  The  probability  of  failure  at  the  end  of  each 
limb  of  the  tree  is  the  product  of  the  conditional  probabilities  of  all  events  in  the 
path.  The  system  probability  of  failure  is  obtained  by  summing  the  probabilities 
of  the  failure  paths. 
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Figure  5.7  -  Causes  of  accidents  in  nuclear  power 
plants 


Since  1979,  and  the  Three  Mile  Island  (TMI)  power  plant  accident,  the 
Nuclear  Regulatory  Commission  (NRC)  has  embarked  on  an  intense  effort  di¬ 
rected  toward  improved  management  of  HOE  in  nuclear  power  plant  operations. 
Figure  5.7  summarizes  the  results  from  450  accident  investigations  that  in¬ 
volved  HOE  in  plant  operations  [Lucas,  et  al.,  1993].  The  total  percentages  sum 
to  greater  than  100  %  because  there  can  be  multiple  reasons  for  a  given  accident. 

The  data  indicates  that  in  about  three-fourths  of  the  cases,  not  following 
procedures  is  responsible  for  the  accidents.  Improper  management  is  involved  in 
about  50  %  of  the  cases.  The  lack  of  proper  training  is  involved  less  than  10  %  of 
the  time. 

Data  have  been  published  recently  on  License  Event  Reports  (LER)  in 
operations  of  nuclear  power  plants  [Luckas,  et  al,  1993].  Thirty  two  high 
consequence  events  were  studied.  Human  error  was  responsible  for  63  %  of  the 
severe  events.  The  majority  of  the  human  errors  were  due  to  mistakes  where  the 
intention  was  erroneous  and  was  purposefully  executed  (67  %). 

The  major  source  of  the  mistakes  were  the  use  of  inadequate  procedures 
(54  %).  The  event  data  indicate  that  procedures  are  frequently  deficient,  either 
in  providing  inadequate  guidance  or  in  omitting  instructions  for  unexpected 
contingencies  while  performing  operations.  Errors  of  commission  were 
responsible  for  77  %  of  the  events.  These  generally  were  the  result  of  a 
procedural  inadequacy  and  inadequate  training. 

The  principal  results  from  this  study  were  that: 

•  Most  events  involve  multiple  influences. 

•  Most  frequently  cited  human  reliability  influences  are  procedures  and 
ergonomics. 
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•  The  majority  of  deficiencies  are  symptomatic  of  poor  planing  and 
preparation  and  concurrent  deficiencies  in  training,  communications, 
and  organizational  factors. 

•  The  combinations  of  influences  appear  to  be  very  sensitive  to  the  context 
of  the  operating  conditions. 

•  Recovery  form  the  events  (near-misses)  is  frequently  aided  by  situation 
appropriate  procedures,  specific  training,  and  the  technical  knowledge 
of  the  operations  personnel. 


Automotive  Industry 


In  the  automotive  industry,  Failure  Mode  and  Effect  Analysis  (FEMA) 
methods  have  been  applied  (Ford  Motor  Company,  1972).  The  following  steps 
have  been  integrated  into  these  analyses: 

1)  Describe  the  failure  mode, 

2)  Describe  the  effects  of  the  failure, 

3)  Describe  the  causes  of  the  failure, 

4)  Estimate  the  frequency  of  occurrence  of  the  failure, 

5)  Estimate  the  severity  of  the  failure, 

6)  Estimate  the  ability  to  detect  and  correct  the  failure, 

7)  Calculate  the  risk  mitigation  priority,  and 

8)  Recommend  corrective  action. 

The  process  is  repeated  for  all  potentially  important  failure  modes.  The 
risk  mitigation  priority  is  based  on  the  relative  magnitudes  of  the  calculated 
risks.  Human  errors  are  implicitly  accounted  for  in  parts  (4)  and  (6)  in  the  pro¬ 
cess. 


Aerospace  Engineering 


Consideration  of  human  factors  has  been  an  integral  part  of  development 
of  structural  systems  for  aircraft,  including  design,  construction,  and  operating 
life-cycle  phases  of  the  aircraft  [Bea,  1992].  Because  of  its  importance,  particular 
attention  has  and  continues  to  be  devoted  to  the  in  flight  human  error  aspects 
[Hawkins,  1987].  Rabideau  [1962]  identified  a  Personnel  Subsystem  (PSS) 
reliability  evaluation  process  that  can  be  summarized  as  follows: 
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1)  Analyze  human  functions  as  follows: 

a)  identify  and  describe  required  human  outputs  (types,  effects  of  envi¬ 
ronmental  factors,  and  output  tolerance  limits), 

b)  identify  and  describe  response  alternatives,  initiating  and  coordina¬ 
tion  decisions,  and  valuations  of  feedback  data, 

c)  identify  and  describe  required  human  inputs,  and 

d)  determine  essential  functional  time  aspects. 

2)  Identify  potential  sources  of  errors. 

3)  Estimate  the  probabilities  of  errors. 

4)  Rate  the  criticality  of  error  effects  by  identifying  the  effects  which  po¬ 
tential  error  can  exert  on  the  system  and  by  estimating  the  relative 
criticality  of  each  effect. 

5)  Analyze  trade-off  factors  including: 

a)  possibilities  of  alternative  functional  and  physical  configurations, 

b)  comparing  alternatives  in  terms  of  the  effects  of  human  functional 
element's  error  potential,  effects  of  implementation  upon  other  func¬ 
tional  /  physical  aspects,  and  implementation  considerations  relative 
to  cost  and  schedule, 

6)  Test  the  functional  and  physical  configurations. 

7)  Implement,  monitor,  record,  and  update  the  evaluations. 

Hawkins  [1987]  proposed  the  SHEL  conceptual  model  of  human  factors. 
The  SHEL  concept  addresses  Software,  Hardware,  Environment,  and  Liveware. 
Liveware  refers  to  the  humans  that  are  at  the  center  of  the  functional  model. 

The  engineering  aspects  of  the  Liveware  include  the  physical  size  and  shape,  the 
fuel  requirements  (oxygen,  food,  water),  input  characteristics,  information  pro¬ 
cessing,  output  characteristics,  and  environmental  tolerances.  The  remainder  of 
the  SHEL  components  are  attached  to  this  central  component. 

The  Hardware  or  L-H  interface  is  the  one  most  commonly  addressed  and 
includes  the  field  of  "ergonomics"  or  man  -  machine  compatibility.  The  Software 
or  L-S  interface  includes  the  non-physical  aspects  of  the  system  such  as  proce¬ 
dures,  manual  and  checklist  layout,  symbology,  and  computer  programs.  Errors 
can  develop  within  a  given  component  such  as  an  error  in  the  Software  and  at 
the  interface  of  the  component  with  the  Liveware  such  as  an  error  in  reading  or 
interpreting  the  instructions  in  a  manual  of  practice. 
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The  Liveware-Environment  of  L-E  interface  is  the  one  in  which  the  exter¬ 
nal  and  internal  environment  has  an  effect  on  the  Liveware.  Cold,  heat,  vibra¬ 
tion,  motions,  light,  and  other  similar  factors  influence  the  error  producing  po¬ 
tential  of  the  Liveware. 

The  last  component  is  referred  to  as  Liveware-Liveware.  This  indicates 
the  interface  between  the  individual  and  the  organizations  that  influence  the  in¬ 
dividual.  The  L-L  interface  is  concerned  with  things  such  as  leadership,  cooper¬ 
ation,  personality  interactions,  and  other  similar  factors. 

There  can  also  be  interfaces  between  any  of  the  components.  The  H-E  in¬ 
terface  in  the  presence  of  severe  environmental  conditions  can  produce  problems 
in  the  hardware,  and  so  forth. 

Bouton  [1974]  developed  and  applied  an  error  disclosure  process  to  the 
fatigue  design  of  aerospace  structures.  Bouton  contended  that: 

"Human  error  is  the  major  problem  with  fatigue  design  due  to  the 
creation  of  defects  and  flaws  during  the  fabrication,  assembly,  and 
operations  processes.  Because  of  the  large  uncertainties  associated 
with  fatigue  design  and  because  of  the  human  error  considerations, 
"fail-safe"  design  procedures  must  be  adopted  for  airframe  design." 


Medical 


During  this  review,  the  author  reviewed  results  from  one  current  study 
being  conducted  by  the  medical  profession  on  human  factors  as  they  relate  to 
performance  of  radiation  therapy  [Henriksen,  et  al.,  1993]. 

Sectors  of  the  medical  profession  apparently  have  been  working  on  prob¬ 
lems  of  human  factors  for  several  decades  primarily  as  applied  to  interfacing 
humans  with  machines  and  facilities.  The  field  of  "ergonomics"  has  had  one  of 
its  primary  development  pushes  from  the  needs  of  the  medical  profession. 

The  study  reported  by  Henriksen,  et  al.  [1993]  was  based  on  long-term  site 
visits  to  hospitals  and  other  treatment  facilities,  investigations  of  "incident" 
reports,  and  interviews  with  physicians,  nurses,  and  patients.  A  team  comprised 
of  human  factors  specialists,  assisted  by  a  panel  of  physicians  conducted  the 
study. 


A  function  and  task  analysis  was  performed  to  guide  the  evaluations  in 
the  areas  of  human- system  interfaces,  procedures,  training  and  qualifications, 
and  organizational  polices  and  practices. 

The  framework  for  organization  and  analysis  of  the  findings  is  shown  in 
Figure  5.8.  This  figure  shows  the  major  contributing  factors  and  individual  fac¬ 
tors  in  each  of  the  major  categories  that  are  likely  to  influence  the  occurrence  of 
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a  "misadministrations"  (human  error).  A  precise  definition  was  given  to  "misad- 
minstrations"  that  involved  both  the  occurrence  and  effects  of  errors. 


MISADMINI8TRATION 


Figure  5.8  -  Causative  and  contributing  factors  to 
human  error  in  radiation  therapy 


The  lowermost  block  in  the  figure  shows  a  variable  relationship  between 
acceptable  human  performance  and  human  error.  The  successive  tiers  of  con¬ 
tributing  factors  in  Figure  5.8  are  arranged  in  a  progressive  manner  with  each 
successive  tier  having  a  direct  influence  on  the  factors  of  the  preceding  tier. 

The  first  two  tiers  labeled  "individual  characteristics"  and  "nature  of  the 
work"  reflect  the  individual  qualities  of  technologists  and  the  nature  of  their 
immediate  work  environment.  Errors  that  can  be  traced  to  factors  in  the  first 
two  tiers  are  called  active  errors.  Their  occurrence  is  associated  with  the 
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delivery  of  treatment  and  they  are  frequently  discovered  immediately  or  in  the 
near  term. 

In  tiers  3  and  4  in  Figure  5.8  are  the  broader  scale  workplace  environment 
and  managerial  factors.  Errors  that  can  be  traced  to  these  tiers  are  propagated 
by  those  in  decision  making  positions.  The  adverse  consequences  of  latent  errors 
in  these  two  tiers  may  inert  for  some  time  in  the  overall  system,  only  to  breach 
the  system  defenses  when  they  combine  with  other  factors  in  unanticipated 
ways. 

In  the  conclusions  drawn  from  this  study,  the  authors  noted  the  following: 

"A  systems  perspective  leads  one  to  suspect  that  the  difficult  to  rec¬ 
ognize  latent  errors  that  are  made  upstream  by  system  designers 
and  organizational  policy  makers  permeate  the  system  and  con¬ 
tribute  to  the  downstream  active  errors  made  by  technologists. " 


The  results  of  the  study  were  reduced  to  a  series  of  tables  that  addressed 
each  of  the  blocks  identified  in  Figure  5.8,  identifying  potential  problem  areas 
and  implications  for  improvements.  Major  emphasis  in  the  study  was  devoted  to 
organizational  and  management  factors. 


Human  Intervention 


Human  intervention  is  responsible  for  "near  misses."  Experience  indi¬ 
cates  that  there  are  generally  many  more  near  misses  than  there  are  major  acci¬ 
dents.  Humans  intervene  to  interrupt  potentially  catastrophic  combinations  of 
actions  and  events  to  bring  systems  back  to  within  the  safe  operating  zone. 

Studies  by  Melchers  (1990)  have  indicated  that  there  are  seven  major  fac¬ 
tors  involved  in  human  interventions: 

1.  Education  (information  on  how  can  things  can  and  do  go  wrong) 

2.  Work  environment  that  encourages  open-minded,  responsibility,  in¬ 
tegrity,  and  quality  production 

3.  Reduction  in  complexity;  simplification  of  complex  tasks  and  systems; 
elegant  simplicity 

4.  Personnel  selection  that  emphasizes  the  necessary  skills,  capabilities, 
experience,  commitments,  and  integrity 

5.  Self-checking  in  which  the  checking  involves  alternative  procedures 
(independent) 

6.  External  checking  and  inspection,  particularly  of  the  assumptions  and 
precepts  on  which  an  activity  or  system  is  founded 
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7.  Legal  sanctions  to  deter  negligence  and  deliberate  malpractice. 


Other  Thoughts 


From  "Structural  Failures  Due  to  Human  Error  -  What  Research  to  Do  ?" 
by  D.  E.  Allen  [1984]: 

"Most  design  errors  resulting  in  structural  failure  other  than  dete¬ 
rioration  are  due  to  misconception  or  lack  of  consideration  of  struc¬ 
tural  behavior,  especially  of  the  details,  and  of  the  kinds  of  loads 
and  influences  that  occur. " 

"Most  construction  errors  resulting  in  structural  failure  are  due  to 
incorrect  procedures  such  as  improper  bracing,  omissions,  mis¬ 
placements,  wrong  products  and  overloading. " 

"More  systematic  measures  to  avoid  failure  due  to  human  error  are 
therefore  required.  Such  measures  include  checking,  inspection, 
communication,  proper  organization  of  a  project,  etc.,  and  come  un¬ 
der  the  general  heading  of  quality  assurance. " 

From  "Modeling  Human  Errors  in  Design"  by  A.  Nowak  [1991]: 

"Human  errors  are  the  major  cause  of  structural  failure.  Reliability 
depends  to  a  large  degree  on  the  control  of  errors  caused  and  conse¬ 
quences.  Sensitivity  analysis  is  an  efficient  method  to  identify  the 
consequential  errors.  Then,  special  control  efforts  can  be  allocated 
in  the  most  efficient  way. " 


From  "How  Engineers  Lose  Touch"  by  E.  S.  Ferguson  [1993]: 

"Despite  all  the  care  engineers  exercise  and  all  their  systems  for 
ensuring  correct  engineering  choices,  evidence  of  faulty  judgment 
shows  up  again  and  again  in  some  of  the  most  expensive  and  most 
carefully  designed  and  tested  machines  of  the  twentieth  century. " 

"Engineers  need  to  be  continually  reminded  that  nearly  all  engi¬ 
neering  failures  result  from  faulty  judgments  rather  than  faulty 
calculations. " 

"Engineering  students  have  been  taught  to  rely  far  too  completely  on 
computer  models,  and  their  lack  of  old-fashioned,  direct  hands-on 
experience  can  be  disastrous. " 
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From  "Launching  the  Space  Shuttle  Challenger:  Disciplinary  Deficiencies 
in  the  Analysis  of  Engineering  Data"  F.  F.  Lighthall  [1990]: 

"The  weakness  in  engineering  education,  in  turn,  is  taken  to  be  of  a 
pervasive  genre:  An  overemphasis  in  contemporary  universities  and 
research  centers  on  specialization  and  analysis  and  an  under  em¬ 
phasis  on  synthesis  of  knowledge  across  fields.  A  larger  lesson  of  the 
accident,  then,  is  that  professional  narrowness,  leading  to  false 
diagnosis  of  cause-effect  relations,  can  be  fatal." 

From  To  Engineer  is  Human.  The  Role  of  Failure  in  Successful  Design .  by 
H.  Petroski  [1985]: 

"Some  engineers  would  say  it  is  all  a  matter  semantics  and  that  all 
structural  failures  can  be  traced  back  to  one  cause,  design  error,  for 
even  so-called  construction  errors  should  be  anticipated  by  the  de¬ 
signer.  It  is  true,  of  course,  that  all  failures  can  be  argued  to  be  the 
result  of  design  errors,  for  as  the  purpose  of  design  is  to  obviate 
failure,  the  failure  not  anticipated  is  a  clear  indication  of  improper 
design.  But  to  obviate  failure,  a  designer  must  anticipate  it. " 

From  "Checking  Techniques"  by  Franz  Knoll  [1986]: 

"When  we  therefore  at  our  schools,  free  the  students  from  the  tedious  work 
of  analyzing  structural  situations  by  hand,  in  order  to  let  them  spend  more 
time  with  the  screen  and  type  set,  we  are  committing  a  capital  mistake.  If 
this  goes  on,  we  shall  have  killed  innovation  soon  in  the  field  of  structural 
engineering,  and  mistakes,  as  they  will  come  out  of  the  black  box  of  the 
computer,  will  become  increasingly  difficult  to  catch.  The  computer  is  the 
ultimate  fool,  and  we  have  elevated  it  to  the  ultimate  authority.  What  is 
going  to  be  the  price1?" 


Summary 


The  central  theme  that  developed  from  these  reviews  was  consistent.  The 
single  largest  source  of  reliability  problems  associated  with  structures  is  HOE. 
Approximately  80  +  %  of  the  "failures"  of  such  systems  is  due  to  compounded 
HOE.  HOE  occurs  in  all  of  the  life-cycle  phases  including  design,  construction, 
and  maintenance. 

In  "passive"  systems,  where  the  majority  of  human  activities  that 
influence  reliability  are  confined  to  the  design  and  construction  phases,  the 
majority  of  HOE  occurs  in  the  design  phase.  In  "active"  systems,  where  human 
activities  are  present  in  all  life-cycle  phases  including  the  long-term  operating 
phase,  the  majority  (approximately  80  %)  of  HOE  occurs  or  is  made  evident  dur¬ 
ing  the  operating  phase. 
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Lack  of  recognition  of  HOE  is  the  fundamental  reason  for  the  disparities 
between  computed  or  notional  reliabilities  and  actuarial  reliabilities. 

Another  important  finding  from  this  review  regarded  quantitative  as¬ 
sessments  of  the  causes  of  HOE  related  failures.  The  review  did  not  identify  one 
source  of  reliable  objective  data  on  HOE  related  design  and  construction  failures. 
The  studies  have  been  sporadic  and  subjective  in  nature.  There  is  no  common 
classification  or  description  of  HOE  in  design  and  construction.  There  has  been 
and  still  is  no  uniform  classifications  of  errors  or  a  uniform  basis  for  identifica¬ 
tion  of  their  causes  and  effects. 

The  results  of  this  review  resulted  in  a  consistent  definition  of  when, 
where,  and  how  human  errors  occur  in  design  and  construction  of  non-marine 
structures.  Design  errors  are  important.  Design  errors  occur  most  frequently  in 
determination  of  loadings  and  in  design  of  connections.  Construction  errors 
occur  most  frequently  in  assembly  due  to  poor  erection  procedures.  The  most 
dominant  cause  of  these  human  errors  is  insufficient  knowledge  resulting  from 
lack  of  proper  training. 

The  experience  with  non-marine  structures  indicates  that  the  challenge  of 
reducing  HOE  in  design  and  construction  is  not  a  problem  of  not  knowing  what 
to  do.  It  is  primarily  a  problem  of  not  doing  what  we  know  we  should  not  do. 
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Causes  of  Unsatisfactory  Quality 


Table  6.1  summarizes  causes  of  unsatisfactory  quality  in  some  marine 
structures  [Bea,  et  al.,  1994].  Unsatisfactory  quality  is  defined  as  undesirable  or 
unanticipated  poor  performance  associated  with  the  structures.  The  unsatisfac¬ 
tory  quality  identified  in  Table  6.1  resulted  from  not  only  in  the  catastrophic  col¬ 
lapse  or  loss  of  the  structure  (exceed  capacity),  but  as  well  resulted  from  unex¬ 
pected  durability  problems  (insufficient  corrosion  and  fatigue  cracking  resis¬ 
tance). 


The  causes  of 

unsatisfactory  quality  can  be 
organized  into  three  categories 
(Figure  6.1): 

1)  those  that  underlie  the 

actions, 

2)  the  direct  initiating 

actions,  and 


3)  the  compounding  or 
propagating  actions. 


Figure  6.1  -  Primary  causes  of  unsatisfactory 
quality 


Often,  the  direct 

initiating  actions  are  identified  and  the  more  important  underlying  and 
compounding  actions  are  ignored. 

A  detailed  study  of  the  case  histories  summarized  in  Table  6.1  indicates 
that  while  the  direct  causes  of  failure  can  be  attributed  to  the  acts  of  individuals, 
the  dominant  contributing  and  compounding  causes  are  fundamentally  "organi¬ 
zational;"  erroneous  actions  by  groups  of  individuals  that  influence  the  direct 
cause  of  failure  and  exacerbate  or  escalate  its  development  through  compounded 
errors  [Moore,  Bea,  1993b].  Of  the  individual  errors,  the  majority  of  errors  are 
errors  of  commission;  what  was  performed  was  erroneous  and  purposefully  exe- 


Role  of  Human  Error  In  Reliability  of  Marine  Structures 


cuted.  Errors  of  omission  or  what  was  performed  was  not  intentional  account  for 
a  minority  of  the  causes. 


Table  6.1  -  Causes  of  unsatisfactory  quality  in  marine  structures 


Marine  Structure 

Causes 

Texas  Tower  #4 
[Bea, 1972] 

•  environmental  forces  underestimated 

•  unrealistic  structure  design  assumptions 

•  construction  modifications  due  to  poor  design 

•  damage  during  installation 

•  unwillingness  to  acknowledge  early  warning  signals 

Camille  Platforms 
[Pate-Cornell,  Bea, 
1992] 

•  lack  of  recognition  of  environmental  conditions 

•  underestimation  of  environmental  forces 

•  excessive  risk  taking  by  organization 

Alexander  Kielland 
[Moan,  1981] 

•  structure  design  not  robust;  damage  intolerant 

•  inappropriate  modifications  during  maintenance 

•  inadequate  inspection 

Ranger  I  Jack-Up 
[Pate-Cornell,  Bea, 
1992] 

•  error  in  design  computer  program 

•  lack  of  design  checking  and  verification 

•  inadequate  quality  assurance  in  design  and  construction 

Ocean  Ranger  Semi- 
Submersible 
[Moore,  Bea,  1993] 

•  lack  of  adequate  back-up  in  ballast  controls 

•  lack  of  software  on  ballast  controls 

•  lack  of  qualified  and  adequately  trained  personnel 

•  insufficient  life  saving  equipment  and  training 

Sleipner  A  Platform 
[Jakobsen,  1992; 
Noyes,  1994] 

•  error  in  design  finite  element  analysis  of  cell  intersections 

•  non-robust  design  of  star  cells  and  intersections 

•  lack  of  adequate  shear  reinforcement  in  star  cells 

•  inadequate  quality  assurance  in  design 

Piper  Alpha  Platform 
[Pate-Cornell,  Bea, 
1992;  UK  Dept,  of 
Energy,  1990] 

•  poor  design  layout  of  topsides  and  risers 

•  inadequate  damage  tolerance  in  facilities 

•  poor  operating  organization 

•  inadequate  training 

TAPS  Tankers 
[Bea,  1992;  Bea, 
1993] 

•  inadequate  design  of  structural  details  for  fatigue 

•  inappropriate  use  of  HTS 

•  poor  financial  environment 

•  poor  construction 

Bulk  Cargo  Carriers 
[Robinson,  1991, 
Ferguson  1991] 

•  cargo  loading  in  seaways  under-estimated 

•  inadequate  design  for  durability 

•  inadequate  maintenance 

•  poor  operation  practices  (loading,  unloading) 

•  inadequate  verification  /  certification  environment 

Lacey  V.  Murrow 
Floating  Bridge 
[Firth,  1992,  1993; 
Dusenberry,  1993] 

•  no  design  for  fatigue  effects 

•  loss  of  reinforcement  bond 

•  poor  maintenance 

•  ignoring  early  warning  signs 
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Based  on  the  information  summarized  in  Table  6.1,  it  is  apparent  that  un¬ 
satisfactory  quality  in  design,  construction,  and  operations  can  and  does  lead  to 
unsatisfactory  quality  in  marine  structures.  The  single  largest  contributor  to 
these  failures  can  be  attributed  to  unanticipated  and  undesirable  sequences  of 
human  and  organization  errors  (HOE).  One  of  the  primary  objectives  of  QA  /  QC 
measures  are  to  give  early  warnings  of  the  development  of  these  sequences, 
make  adequate  corrections,  and  allow  the  system  be  brought  back  to  an  accept¬ 
able  state  of  quality. 

Human  errors  have  been  shown  to  be  the  basic  cause  of  failures  of  many 
engineered  systems  [Petroski,  1985;  Perrow,  1984;  Wenk,  1986;  Reason,  1990]. 

In  almost  all  cases,  the  initiating  event  can  be  traced  to  a  catastrophic  com¬ 
pounding  of  human  and  organizational  errors  [Moore,  Bea,  1993b;  Reason,  1990]. 


High  consequence  accidents  resulting  from  HOE  can  be  differentiated  into 
those  that  occur  in  design,  construction  and  operation  phases  of  the  marine  sys¬ 
tem's  life  cycle.  Unacceptable  performance  of  a  marine  structure  can  be  the  re¬ 
sult  of  improper  design  and  construction  of  the  system.  For  example,  primary 
contributors  to  the  capsizing  of  the  Alexander  Kielland  were  the  lack  of  redun¬ 
dancy  (design  flaws)  and  cracks  (maintenance  oversights)  in  the  structure 
[Moan,  1981].  Design  flaws  originating  in  the  finite  element  modeling  and  lack 
of  appropriate  review  were  primarily  responsible  for  the  sinking  of  the  Sleipner 
A  platform  [Jakobsen,  1992]. 

Of  the  three  life-cycle  phases  of  a  marine  structure,  the  majority  of  com¬ 
promises  in  the  quality  of  the  structure  occur  during  the  operating  phase  and 
can  be  attributed  to  errors  developed  by  operating  personnel  [Bea,  1990;  Moore, 
Bea,  1993a]. 


A  recently  published 
analysis  of  major  claims 
associated  with  commercial 
shipping  during  1993  indicated 
that  human  errors  that  occurred 
during  operations  were 
responsible  for  approximately  62 
percent  of  the  major  claims 
(Figure  6.2)  [UK  P&I  Club, 

1993]. 

Structural  failures 
accounted  for  12  percent  and  me¬ 
chanical  -  equipment  failures 
accounted  for  16  percent  of  the 
major  claims.  A  substantial  of 
these  later  "causes"  of  failure  had 
roots  that  could  be  traced  directly 
maintenance  and  use. 


Other(ll%) 


Structural(12%)' 


Figure  6.2  -  Causes  of  major  (>  US  $  100,000) 
claims  for  all  classes  of  commercial  ships 
1993 


to  operations  errors  founded  in  inappropriate 
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Figure  6.3  -  HOE  and  ship  age  related  to  major  damage  claims 

Analysis  of  the  same  data  with  ship  age  (Figure  6.3)  indicates  that  there  is  a 
definite  correlation  between  the  age  of  the  ship  and  the  incidence  of  human  er¬ 
rors. 


Quoting  from  that  report: 

"Why  do  people  persistently  make  flawed  decisions  which  are  at  odds 
with  all  their  training,  experience  and  better  judgment?  Factors 
include  over  confidence,  the  tendency  to  respond  to  commercial 
pressures  at  the  expense  of  good  practice,  personal  pride  leading  to 
failure  to  seek  assistance,  linguistic  confusion,  and  not  least,  fatigue. 
Human  error  is  the  overwhelmingly  dominant  factor  in  claims  of  all 
sizes. " 

"Human  errors  occur  more  often  in  ships  of  10  - 14  years  old  (Figure 
6.3).  This  may  reflect  manning  pressures  on  ships  designed  to  run 
with  larger  crews  than  is  now  the  practice,  or  accumulated  lack  of 
maintenance  prior  to  the  third  survey. " 

"There  are  sensible  recommendations  for  improved  personnel 
management,  the  importance  of  training  on  the  carriage  of  cargo,  the 
need  for  adequate  manning  levels  and  improved  training  and 
motivation  for  both  crew  and  shore  personnel. " 
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The  causes  of 
tanker  (above  10,000  grt) 
casualties  during  the 
period  1979  through  1990 
are  summarized  in  Figure 
6.4  [Bea,  1992].  Twenty 
seven  percent  of  the 
casualties  were  due  to 
structural  problems  with 
the  hull  or  machinery. 

The  remaining  73  percent 
of  the  casualties  were  due 
to  various  forms  of  HOE. 

A  similar  current 
picture  has  emerged  for 
the  operations  of  both 
fixed  and  mobile  offshore 
platforms.  Based  on 
information  from  the  World  Offshore  Accident  Databank  (WOAD)  [Bekkevold,  et 
al.,  1990],  the  principal  causes  of  the  accidents  to  fixed  platforms  (Figure  6.5) 
and  Mobile  Offshore  Drilling  Units  (MODUs)  (Figure  6.6)  are  blowouts, 
collisions  (for  MODUs  grounding,  foundering  and  towing  accidents  are  included 
in  the  rates  shown),  fires  and  explosions. 

Structurally  related  causes  of  severe  damage  are  in  the  range  of  6  %  to  9 
%  of  the  total  causes  of  accidents  for  fixed  platforms  and  MODUs,  respectively. 
The  generally  less  robust  (damage  tolerant)  designs  of  MODUs  apparently  is  re¬ 
sponsible  for  the  greater  incidence  of  structurally  related  severe  accidents. 

On  the  positive  side  of  these  statistics,  it  is  apparent  that  the  majority  of 
the  current  compromises  in  the  quality  of  marine  structures  that  result  in  severe 
damage  are  not  centered  in  the  design  and  construction  activities.  Further,  the 
majority  of  the  compromises  can  not  be  directly  attributed  to  insufficient  quality 
in  the  structures  themselves. 

While  improvements  can  be  made  and  are  being  made  in  the  design  and 
construction  procedures  and  hardware  and  in  the  structures  themselves,  it  is 
apparent  that  the  primary  problems  with  quality  in  marine  structures  are  cen¬ 
tered  in  operations;  how  they  are  used  and  maintained. 

The  Piper  Alpha  fires  and  explosions,  and  the  grounding  of  the  Exxon 
Valdez  have  drawn  worldwide  attention  to  the  roles  of  human  errors  in  the  oper¬ 
ations  of  marine  structures.  The  public  reactions  have  resulted  in  the  require¬ 
ments  for  "Safety  Cases"  in  the  United  Kingdom  sector  of  the  North  Sea  [Barrell, 
1993]  and  the  United  States  Oil  Pollution  Act  of  1990  (OPA  90)  [Moore,  1994]. 


FIRE  /EXPLOSION 
CONTACT 
COLLISION 
0  WAR  LOSS 
FOUNDERING 
GROUNDING 
HULL /MACHINERY 


Figure  6.4  -  Tanker  (above  10,000  grt)  casualties 
1979  - 1990 
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In  the  United  Kingdom, 
Safety  Case  study  requirements 
have  also  been  suggested  for 
commercial  ships  [House  of  Lords 
Select  Committee  on  Science  and 
Technology,  1992].  These 
reactions  have  had  important 
effects  worldwide  on  how  quality  in 
the  marine  structures  is  achieved 
and  maintained.  The  OPA  90 
requirements  for  double-  hull 
tankers  operating  in  United  States 
waters  and  the  liabilities  placed  on 
transporters  of  hydrocarbons  for 
pollution  are  a  legacy  of  regulatory 
reaction  to  the  Exxon  Valdez. 


ANNUAL  SEVERE  DAMAGE  RATE 
(x  E-3) 


Figure  6.5  -  Initiating  events  leading  to 
severe  damage  to  fixed  offshore  platforms 


Two  recent  important 
international  steps  have  been 
taken  to  help  improve  quality  in 
operations  of  ships.  The  first  is  the 
development  of  the  International 
Management  Code  for  the  safe 
operation  of  ships  and  for  pollution 
prevention  by  the  International 
Maritime  Organization  (IMO) 
[IMO,  1993].  The  second  is  de¬ 
velopment  of  the  quality  system  for 
requirements  for  classifications 
societies  by  the  International 
Association  of  Classification 
Societies  (IACS)  [IACS,  1991]. 
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Figure  6.6  -  Initiating  events  leading  to 
total  loss  of  mobile  offshore  platforms 


These  steps  have  been 

accompanied  by  a  series  of  important  technical  developments  that  address  the 
quality  of  operations  of  commercial  ships. 

•  Development  of  a  comprehensive  structural  and  equipment  IMR  man¬ 
agement  strategies  and  systems  [Bea,  1992;  Melitz,  1992], 

•  Development  and  implementation  of  hull  condition  monitoring  and  ship 
routing  -  navigation  systems  to  assist  in  IMR  and  other  aspects  of  opera¬ 
tions  [Brooks,  1992;  Brooking  et  al.,  1992;  Lewis  et  al.,  1991;  Chen, 
1987],  and 

•  Development  of  qualitative  and  quantitative  process  and  procedures  to 
help  evaluate  alternatives  to  improve  the  human  factors  related  aspects 
of  operations  [Moore,  Bea,  1993b,  1993c;  Reason,  1991;  Moore,  Bea, 
Roberts,  1993]. 
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In  a  recent  study  of  the  safety  of  ships,  the  Select  Committee  on  Science 
and  Technology  of  the  House  of  Lords  [1992]  observed  the  following: 

"Modern  science  and  technology  are  not  being  adequately  applied  in 
many  of  the  fields  which  affect  the  safety  of  ships. " 

"Shipping  must  not  be  allowed  to  become  a  victim  of  its  own  long 
history:  we  consider  that  the  time  has  come  for  radical  change. " 

This  study  developed  two  primary  long-term  recommendations  for  the 
shipping  industry: 

1)  Primary  safety  goals  for  all  aspects  of  ship  operations:  These  would  con¬ 
sist  of  standards  of  structural  strength,  stability,  maneuverability,  perfor¬ 
mance  in  a  seaway,  operational  competence  and  safety  management  for 
every  type  of  ship  operation.  They  would  be  based  on  quantified  assess¬ 
ment  of  risk,  on  analysis  of  costs  and  benefits,  and  on  international 
agreement  as  to  what  level  of  risk  was  acceptable. 

2)  A  safety  case  for  every  ship  trading  commercially,  produced  by  the  op¬ 
erator  and  approved  and  audited  by  the  flag  state:  The  safety  case  would 
demonstrate  that  the  ship's  operations  would  achieve  the  relevant  pri¬ 
mary  safety  goals,  subject  to  prescribed  conditions.  These  conditions 
would  cover  matters  including  maintenance,  protective  coatings  and  levels 
of  corrosion,  safety  equipment;  manning  levels  and  crew  competence;  load- 
line  and  rates  of  loading,  and  unloading;  stresses  on  the  hull,  navigation 
and  communications  equipment;  and  safety  management  system.  The 
safety  case  would  be  completely  reviewed  every  5  years  in  the  light  of 
changes  in  the  ship's  operating  pattern  and  in  the  conditions  of  the  ship. 

In  1989,  following  several  serious  tanker  accidents  which  were  clearly 
caused  by  human  error  and  a  growing  awareness  in  the  maritime  community  of 
the  human  factors,  the  IMO  adopted  an  Assembly  Resolution  committing  the 
Marine  Safety  Committee  and  Marine  Environmental  protection  Committee  to 
examine  the  "human  element"  as  a  cause  of  marine  casualties. 

In  the  past  four  years,  this  initiative  has  become,  within  IMO,  a  major, 
broad-based  long-term  effort  involving  all  of  the  technical  sub-committees,  and 
in  which  nearly  all  tasks  and  developments  are  being  examined  in  a  human  fac¬ 
tors  light.  This  initiative  has  produced  the  International  Management  Code  for 
the  Safe  Operations  of  Ships  and  Pollution  prevention  (or  International  Safety 
Management  -  ISM  Code).  The  ISM  Code  is  to  be  adopted  as  a  new  requirement 
within  the  SOLAS  Convention.  The  premise  behind  the  ISM  Code  is  to  set  rules 
and  standards  for  the  organization  of  a  company  management  with  respect  to 
safety  and  pollution  prevention  thorough  the  development  of  a  safety  manage¬ 
ment  system  (SMS).  ISM  Code  compliance  will  be  required  for  both  the  company 
and  each  vessel  under  the  company's  operation  and  is  expected  to  have  far  reach¬ 
ing  effects  on  ship  owners  and  operators  (Moore,  McIntyre,  1994). 
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In  a  similar  vein,  the  International  Chamber  of  Shipping  and  the 
International  Shipping  Federation  has  recently  (August  1993)  issued  a  draft 
International  Safety  Management  Guideline  titled  "Application  Guidelines  for 
the  IMO  International  Safety  Management  (ISM)  [Int.  Chamber  of  Shipping, 
1993].  The  ISM  introduced  a  Safety  Management  System  (SMS)  that  requires  a 
company  to  document  its  management  procedures  to  ensure  that  "conditions,  ac¬ 
tivities  and  tasks,  both  ashore  and  on  board  affecting  safety  and  environmental 
protection,  are  planned,  organized,  executed  and  checked  in  accordance  with  leg¬ 
islative  and  company  requirements." 

Documented  SMS  procedures  are  developed  to  cover:  1)  objectives  and 
applications,  2)  safety  and  environmental  protection,  3)  company  responsibilities 
and  authorities,  4)  designated  persons,  5)  Master's  responsibility  and  authority, 
6)  resources  and  personnel,  7)  shipboard  plans,  procedures,  and  instructions,  8) 
emergency  preparedness,  9)  reports  and  analysis  of  accidents,  10)  maintenance 
of  the  ship  and  equipment,  11)  documentation  of  results,  and  12)  company  verifi¬ 
cation  and  evaluation.  Three  key  documents  embody  this  system  and  include  a 
shipboard  emergency  contingency  plan,  a  shipboard  safety  management  manual, 
and  a  SOLAS  training  manual. 

The  U.  S.  Coast  Guard  has  identified  six  fundamental  requirements  for  an 

SMS: 

•  A  safety  and  environmental  protection  policy. 

•  Instructions  and  procedures  to  ensure  safe  operation  of  ships  and  pro¬ 
tection  of  the  environmental  in  compliance  with  relevant  international 
and  Flag  State  legislation. 

•  Defined  levels  of  authority  and  lines  of  communications  between,  and 
among,  shore  and  shipboard  personnel. 

•  Procedures  for  reporting  accidents  and  non-conformities  with  the  provi¬ 
sions  of  the  Code. 

•  Procedures  to  prepare  for  and  respond  to  emergency  situations. 

•  Procedures  for  internal  audits  and  management  review. 

Moore  and  Roberts  [1994]  have  reviewed  and  summarized  these  recent 
developments. 

These  are  obviously  different  approaches  intended  to  help  reach  the  same 
objective;  acceptable  quality.  The  House  of  Lord's  Safety  Case  Study  approach  is 
highly  quantitative  and  based  on  detailed  evaluations  of  existing  and  proposed 
systems.  It  would  strain  the  resources  of  industry  to  perform  such  evaluations 
and  the  implementation  would  be  similarly  difficult.  The  ISM  SMS  is  very  qual¬ 
itative  and  based  on  general  evaluations.  Critical  evaluations  of  existing  and 
proposed  systems  are  not  developed.  One  approach  emphasizes  documentation 
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while  the  other  emphasizes  the  processes  of  evaluation.  They  both  represent 
current  attempts  by  this  segment  of  the  marine  industry  to  improve  quality  and 
safety. 


These  developments  have  paralleled  by  a  very  similar  series  of  develop¬ 
ments  that  pertain  to  the  operations  of  offshore  platforms.  Industrial  and  regu¬ 
latory  guidelines  are  being  revised  to  address  both  the  system  and  the  human  re¬ 
lated  aspects  [Sutherland,  1991;  Bea,  1993;  Barrell,  1993;  Hashemi,  1991; 
Fitzerald,  et  al;,  1991;  Technica,  1983;  Cox,  Walter;  1991;  U.  S.  Dept,  of 
Commerce,  1985;  Andersen  et  al.,  1983;  Vinnem,  Hope,  1992;  Bea,  et  al.,  1992]. 

As  a  result  of  the  Exxon  Valdez  accident,  the  U.  S.  Coast  Guard  initiated  a 
formal  human  factors  research  and  development  program  [Sanquist,  et  al.  1993]. 
This  program  is  addressing  the  five  following  general  areas:  (1)  manning,  quali¬ 
fications  and  licensing,  (2)  automation  design,  (3)  safety  procedures  and  data,  (40 
communications,  and  (5)  organizational  practices.  The  topics  being  addressed  in 
each  of  the  five  areas  are  summarized  in  Table  6.2 


Table  6.2  -  U.  S.  Coast  Guard  human  factors  research  and  development  program 


Manning,  quali¬ 
fications,  licens¬ 
ing 

Automation 

Safety  Method 
and  Data 

Communications 

Organizational 

Practices 

•  job  require¬ 
ments 

•  use  of  simula¬ 
tors 

•  experience  fac¬ 
tors 

•  automation 
impacts 

•  cognitive  im¬ 
pacts 

•  training 

•  bridge  work¬ 
loads 

•  alarm  systems 

•  information 
distribution 

•  electronic  navi¬ 
gation 

•  Vessel  Traffic 
Systems  (VTS) 

•  investigations 

•  human  factors 
inspection  proce¬ 
dures 

•  spill  response 
organization 

•  technical  and 
organization  pro¬ 
cedures 

•  aids  to  naviga¬ 
tion 

•  VTS  communi¬ 
cations 

•  personnel  fa¬ 
tigue 

•  organizational 
policy 

•  OPA '90  im¬ 
pacts 

Examples  of  HOE  in  Design  &  Construction 


The  following  case  histories  have  actually  occurred.  The  author  has  had 
personal  involvement  in  these  case  histories  and  hence  has  intimate  knowledge 
of  the  details.  The  background  from  these  experiences  was  used  as  one  of  the 
bases  for  the  research  reported  by  Pat6-Comell  and  Bea  [1989, 1992].  The  objec¬ 
tive  of  relating  these  examples  is  to  illustrate  some  of  the  aspects  of  how  HOE 
can  influence  the  design  and  construction  of  marine  structures. 

The  Sliding  Platforms.  In  1966,  an  offshore  lease  was  purchased.  The 
site  surveys  indicated  an  unusual  bathymetry.  An  initial  evaluation  indicated 
the  potential  for  mud  slides.  A  study  was  initiated  in  1967  to  investigate  this 
phenomenon  and  evaluate  the  risk.  The  design  of  a  conventional  platform  was 
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commissioned  (1967)  on  the  premise  that  if  the  risk  of  mudslide  was  found  to  be 
too  high,  the  platform  would  be  sited  elsewhere  and  a  mudslide  resistant  plat¬ 
form  would  be  designed  for  the  location. 

The  design  was  completed  before  the  risk  study.  The  management  made 
the  decision  to  start  the  construction  of  the  platform  so  that  if  the  study  indi¬ 
cated  that  the  site  was  safe,  the  project  would  be  on  schedule. 

The  risk  study,  when  it  was  completed,  confirmed  the  presence  of  mud 
slides  and  indicated  that  the  risk  of  failure  at  the  proposed  site  was  ten  to  a 
hundred  times  greater  than  for  a  conventional  site.  The  recommendation  was 
made  not  to  site  a  conventional  platform  at  the  proposed  location. 

The  management  and  the  technical  team  met  to  discuss  these  recommen¬ 
dations.  A  technical  report  was  written  stating  that  if  a  conventional  platform 
was  installed  at  the  site,  it  would  fail  in  a  short  period  of  time  due  to  overloading 
by  mudslide  forces.  The  management,  however,  made  the  decision  to  site  the 
conventional  platform  at  the  proposed  location.  The  lead  engineer  refused  to 
sign  the  final  construction  drawings. 

One  platform  was  knocked  to  the  sea  floor,  and  an  adjacent  platform 
moved  down-slope  during  a  storm  in  August  1969.  The  sliding  around  the  adja¬ 
cent  platform  was  discovered  when  workers  tried  to  rim  tools  through  the  well 
conductors.  Laser  survey  of  the  piles  disclosed  significant  platform  movement 
had  occurred.  The  still  standing  platform  was  then  declared  a  constructive  loss 
and  an  insurance  claim  was  made.  Both  platforms,  however,  were  salvaged. 

The  managers  involved  in  the  decision  suffered  career  by-pass  and  eventu¬ 
ally  left  the  company.  These  managers  stated  that  they  never  believed  in  the 
slide  hazard.  The  technical  staff  involved  suffered  the  opposite  type  of  credibility 
crisis:  management  after  this  episode  started  believing  them  too  much  without 
asking  questions. 

Analysis:  The  sequence  of  errors  came  from  an  organizational  commit¬ 
ment  made  without  proper  information.  When  this  information  became  avail¬ 
able,  the  time  pressures  were  such  that  the  management  had  strong  incentives 
to  dismiss  it.  By  then,  it  had  lost  a  lot  of  its  value  due  to  poor  timing.  The  result 
is  a  culmination  of  errors  of  judgment  that  can  be  described  as  follows: 

(1)  a  very  risk  prone  attitude  in  the  decision  to  begin  the  work  without  the 
tests'  results,  and 

(2)  a  refusal  to  use  the  information  when  it  became  available  because  it 
revealed  that  the  previous  move  was  a  mistake. 

The  Homeless  Mobile  Drilling  Rig.  During  the  winter  of  1979,  a  mo¬ 
bile  drilling  unit  originally  designed  for  the  storm  conditions  of  the  Gulf  of 
Mexico,  was  proposed  for  siting  in  Lower  Cook  Inlet,  Alaska.  The  platform,  lo¬ 
cated  offshore  of  California,  was  preparing  for  transfer  to  Alaska.  The  client  oil 
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company  contacted  a  consultant  to  make  a  risk  assessment  for  siting  the  plat¬ 
form  in  Alaska. 

Data  were  gathered  on  site  conditions  as  well  as  the  conditions  of  the  unit, 
looking  for  fatigue  damage  to  the  legs  from  long  tows.  A  risk  assessment  was 
made  and  the  results  were  compared  to  risks  of  the  same  unit  during  the  storm 
season  if  it  were  sited  in  the  Gulf  of  Mexico.  The  results  indicated  that  the  risk 
in  Alaska  was  ten  times  greater  than  in  the  Gulf  of  Mexico. 

In  particular,  the  consultants  recommended  not  to  site  the  units  during 
the  proposed  period  but,  rather,  two  or  three  months  later  when  the  chances  of 
storms  and  icing  are  lower.  The  client  oil  company  did  not  want  to  wait  because 
of  the  costs  involved  ($100,000  per  day)  in  putting  the  unit  on  standby  for  two  or 
three  months. 

The  client  decided  to  discuss  the  risk  of  siting  with  the  rig  owner,  the  rig 
operator,  the  rig  classifier,  the  rig  mover,  and  the  rig  insurer.  The  risk  assess¬ 
ment  was  presented  to  this  decision  making  group  and  a  report  written  summa¬ 
rizing  the  results. 

The  group  decided  that  the  risk  was  too  great  to  site  the  rig  during  the  ini¬ 
tially  proposed  period  and  the  decision  was  made  to  delay  the  siting  until  after 
the  winter  storm  season.  The  group  asked  the  consultant  if  they  really  believed 
their  risk  assessment  results,  which  the  consultant  confirmed.  The  client  re¬ 
quired  the  presence  of  the  consultant  onboard  during  the  starting  of  operations, 
as  one's  perspective  on  risk  may  change  as  a  function  of  one's  proximity  to  it. 

The  unit  operated  without  incident  and  was  later  taken  to  Norton  Sound, 
Alaska.  The  risk  assessment  was  then  repeated,  this  time  with  respect  to  scour 
around  the  rig's  footing.  The  results  indicated  that  the  probability  of  scour  was 
high.  The  unit  was  placed  in  Norton  Sound.  Footings’  scour  did  occur  and  pro¬ 
tection  had  to  be  placed  in  order  to  prevent  damage  to  the  rig.  Two  divers  were 
killed  during  the  placement  of  the  scour  protection.  The  unit  was  then  towed 
from  Norton  Sound  to  California.  During  the  transit,  a  mysterious  flooding  oc¬ 
curred  and  the  unit  sank  in  the  Aleutian  trench  in  6,000  ft  of  water. 

Analysis:  The  fundamental  error  here  is  again  one  of  bad  judgment,  this 
time,  the  failure  to  consider  a  particular  type  of  external  event  (scour)  that  later 
threatened  to  cause  platform  failure.  It  is  an  information  error  that  was  proba¬ 
bly  induced  by  earlier  difficulties  and  costs  due  to  the  relocation  of  the  structure. 

It  seems  that  the  decision  makers,  having  already  experienced  the  costs  of 
the  prudent  decision  to  delay  the  Alaska  siting,  did  not  want  to  know  more  about 
potential  problems.  The  final  error  can  be  traced  to  a  refusal  of  information  and 
a  breakdown  in  communications. 

The  Upside  Down  Platform.  A  platform  steel  jacket  was  designed  to  be 
launched  from  a  floating  barge  and  towed  to  the  platform  site.  The  jacket  weight 
and  buoyancy  were  checked  to  determine  if  the  jacket  would  float  after  launch- 
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ing.  The  calculations  indicated  that  additional  buoyancy  tanks  were  needed  to 
make  the  jacket  float.  Buoyancy  tanks  were  added  and  placed  at  the  upper  face 
of  the  top  end  of  the  jacket.  The  jacket  was  launched,  but  because  of  very  high 
momentum  when  the  jacket  rotated,  the  jacket  buoyancy  at  the  upper  face  of  the 
top  end  was  ineffective  at  slowing  the  jacket's  movement.  The  jacket  embedded 
upside  down.  The  buoyancy  was  insufficient  to  raise  the  top  of  the  jacket  that 
had  more  stability  upside  down.  The  closure  plates  of  the  legs  leaked  due  to  bad 
welds  and  the  reserve  buoyancy  was  lost.  Due  to  bad  weather,  it  took  two 
months  and  a  lot  of  money  to  right  the  jacket. 

The  next  engineer  who  designed  a  similar  structure  decided  to  launch  it  in 
deep  water  fifteen  miles  from  the  intended  location  then  to  tow  it  to  the  site. 
During  the  tow,  the  jacket  swung  against  the  towing  barge  and  crushed  two  legs. 
The  jacket  had  to  be  towed  into  shallow  waters  to  expose  the  legs.  The  damaged 
portions  of  the  legs  had  to  be  cut  out  and  new  sections  were  welded  in.  In  trying 
to  correct  the  first  error,  a  second  error  had  been  committed  that  added  to  the 
costs  of  the  first  one. 

Analysis:  This  is  a  case  of  gross  error  due  to  lack  of  experience. 

Although  some  checking  did  occur  and  an  initial  defect  was  revealed,  the  correc¬ 
tive  action  that  followed  was  insufficient  to  fix  the  problem. 

The  second  error  was  a  repeat  of  the  same  phenomenon.  Both  errors  were 
cases  of  wrong  understanding  (i.e.,  wrong  models)  of  the  dynamic  behavior  of  the 
structure  during  the  launch  and  during  the  tow. 


Sleipner  A  Finite  Element  Error 


The  Sleipner  A  platform  failure  is  a  prime 
example  of  a  recent  marine  structural  failure  due 
to  HOE  that  occurred  during  the  design  [Jakobsen, 
1992],  This  design  error  had  catastrophic 
consequences  during  construction.  During  a  ballast 
test  operation  in  August  1991,  the  Sleipner  A 
Gravity  Base  Structure  (GBS,  Figure  6.7)  sank  to 
the  bottom  of  a  fjord  in  200  meters  of  water  outside 
Stavanger,  Norway. 

The  GBS  had  been  constructed  by 
Norwegian  Contractors  (NC)  over  the  previous  2 
years.  The  base  of  the  structure  had  been  ballasted 
to  a  depth  of  97.5  meters  prior  to  deck  mating. 

This  was  the  deepest  submergence  that  the  plat¬ 
form  was  intended  to  experience. 

A  deep  bang-like  sound  occurred  in  the  D3- 
shaft  (Figure  6.8).  The  sound  was  followed  by  a 
sound  of  running  water  from  the  direction  of  the  D3 


Figure  6.7  -  Sleipner  A 
GBS 
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shaft.  Investigation  of  the  shaft  was  undertaken  and  water  was  first  seen 
entering  above  the  intended  ballast  water  level  at  the  star-cell  intersection 
(Figure  6.8).  Emergency  deballasting  was  started  by  pumping  water  from  three 
of  the  cells  surrounding  the  D3  shaft,  but  the  pumping  could  not  keep  up  with 
the  sinking. 

Approximately  8  minutes  after  the  first  bang,  the  order  to  abandon  the 
platform  was  given.  The  people  aboard  the  platform  were  evacuated.  The  plat¬ 
form  disappeared  from  the  surface.  The  base  cells  imploded  and  the  platform 
became  a  pile  of  concrete  rubble  on  the  floor  of  the  fjord. 


The  Sleipner  A  platform  was  the  twelfth  in  a  series  of  Condeep  GBS  plat¬ 
form  built  by  NC.  It  was  a  typical  GBS  with  24  caisson  cells  over  a  base  area  of 
about  16,000  square  meters.  The  technology  for  the  design  and  construction  of 
this  platform  were  well  established  and  proven. 


Overview  of  the  cell  structure. . 

(ie.  horizontal  section  of  the  caisson.) 


.  Location  of  Sleipner  A-l  failure 


Figure  6.8  -  Details  of  the  Sleipner  GBS  base  cells  and  tri-cell  intersection  rein¬ 
forcement  and  failure 
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An  extensive  investigation  concluded  that  the  primary  causes  of  failure 
were  as  follows  [Jakobsen,  1992;  Rettedal,  Gudmestad,  Aarum,  1993]: 

a)  Direct  Cause  -  the  global  finite  element  analysis  used  to  calculate  sec¬ 
tional  forces  gave  a  47  percent  under-estimation  of  the  shear  forces  in  the 
tricell  walls.  The  error  was  caused  by  use  of  a  coarse  finite  element  mesh 
with  some  skewed  elements  used  for  analysis  of  the  tricell  walls.  The 
lower  design  forces  resulted  in  lack  of  shear  reinforcement  in  portions  of 
the  cell  and  tricell  joints. 

b)  Compounding  Causes  -  reinforcement  was  improperly  detailed  in  the 
tricell  joints.  The  T-headed  shear  reinforcement  bars  were  detailed  too 
short  and  were  anchored  in  a  tension  zone  (Figure  6.8).  The  conventional, 
but  difficult  to  install  stirrup  reinforcement  was  omitted  from  the  joint. 
The  tricell  joints  were  not  designed  or  checked  as  separate  components. 
The  same  reinforcement  designed  for  the  cell  walls  was  continued  through 
the  tricell  joints.  Testing  subsequent  to  the  failure  confirmed  the  inade¬ 
quacy  of  the  reinforcement. 

c)  Contributing  Causes  -  similar  failures  of  the  tricell  joints  had  oc¬ 
curred  in  previous  GBS.  The  problem  had  been  detected  and  remedied  be¬ 
fore  it  had  become  catastrophic.  However,  all  of  the  personnel  involved  in 
these  earlier  problems  were  not  involved  in  the  Sleipner  A  design  and  con¬ 
struction.  There  was  a  "loss  of  corporate  memory".  In  addition,  because 
the  design  and  construction  had  become  so  "well  established",  and  because 
of  time  and  budget  limitations,  detailed  and  over-view  checking  had  been 
curtailed. 

Following  the  sinking  of  the  Sleipner  A  GBS,  a  number  of  studies  and 
steps  were  taken  to  prevent  a  mistake  of  such  magnitude  from  occurring  again 
[Rettedal,  et  al.,  1993].  Extensive  physical  testing  of  the  tricell  joints  were  per¬ 
formed.  The  geometry  of  the  tricell  was  changed.  There  were  extensive  and 
careful  finite  element  analyses  performed  of  the  joint.  These  analyses  were  cali¬ 
brated  and  verified  with  the  results  from  the  physical  tests  on  the  joint. 

In  addition,  revised  design  guidelines  and  regulations  were  implemented. 
There  was  a  considerable  increase  in  independent  design  checking  and  verifica¬ 
tion.  The  revised  design  guidelines  and  regulations  included  an  increase  in  the 
design  load  factor  for  water  pressure,  a  new  concrete  design  code  shear  capacity 
formula,  stricter  water  tightness  criteria,  larger  concrete  cover  on  reinforcement, 
stricter  tolerances  on  reinforcement  placement  and  more  transverse  reinforce¬ 
ment  required,  structure  would  be  designed  to  with  stand  a  100-year  summer 
storm  load  in  the  installation  phase,  vertical  prestressing  cables  were  to  be  used 
in  all  shafts  to  minimize  tensile  loadings  and  cracks  (developing  a  "robust"  or 
damage  tolerant  structure),  and  double  barriers  for  all  openings  and  penetra¬ 
tions  in  the  base  cells. 

The  changes  made  in  the  design  process  were  primarily  intended  to  pro¬ 
vide  added  capacity  and  robustness.  Extensive  Quantified  Reliability  Analyses 
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(QRA)  were  performed  to  identify  how  and  where  to  place  design  safeguards 
[Rettedal,  Gudmestad,  Aarum,  1993]. 

Most  notable  of  the  changes  was  a  400  %  increase  in  the  total  man-hours 
for  verification  and  checking  work.  In  the  wake  of  a  major  accident  which 
"should  not  have  happened,"  there  is  little  tendency  to  view  added  safety  precau¬ 
tions  as  overkill.  Due  to  the  delays  caused  by  the  failure,  there  were  extreme 
pressures  to  develop  a  replacement  platform  as  soon  as  possible.  With  time  of 
the  essence  and  the  memory  of  the  failure  fresh,  the  increased  safety  measures 
were  readily  included  in  the  design,  rather  than  evaluated  as  to  their  necessity. 

The  platform  was  re-designed  and  re-built  by  NC.  It  was  successfully  in¬ 
stalled  two  years  after  the  failure  of  Sleipner  A.  The  total  cost  of  the  failure  was 
estimated  to  be  in  excess  of  $  1  billions  (U.  S.). 

In  Chapter  9,  two  studies  will  be  discussed  that  address  quantitative 
evaluations  of  how  to  improvement  management  of  HOE  in  the  re-design  of  the 
Sleipner  A  platform. 


Classifications  of  Sources  of  Errors 


Factors  that  contribute  to  human  errors  can  be  categorized  into  organiza¬ 
tional,  individual,  and  systems  (hardware,  software)  errors.  Organizational  in¬ 
fluences  have  been  found  to  have  profound  impacts  on  operational  quality  of  ma¬ 
rine  structures  [Perrow,  1984;  Bea,  Moore,  1991;  Embrey,  1991;  Reason,  1991; 
Robinson,  1991].  Individual  or  human  errors  are  those  which  are  made  by  a  sin¬ 
gle  person  which  can  contribute  to  an  accident.  The  chain  of  events  which  led  to 
the  Occidental  Piper  Alpha  accident  were  initiated  by  events  leading  from  an  un¬ 
finished  maintenance  job  in  the  gas  compression  module  [UK  Dept,  of  Energy, 
1990].  Their  escalation  could  be  directly  attributed  to  a  wide  variety  of  organiza¬ 
tion  errors  including  corporate  decisions  made  regarding  manning,  relief  super¬ 
vision,  the  supervision  of  work  crews,  and  the  provision  of  production  incentives 
[Martin,  1991]. 

A  similar  chain  of  contributing  and  compounding  causes  firmly  founded  in 
organizations  can  be  identified  in  the  grounding  of  the  Exxon  Valdez  (Moore, 
1994;  Moore,  Bea,  Roberts,  1993).  This  compromise  in  acceptable  quality  was 
not  fundamentally  a  failure  rooted  in  structural  and  equipment  systems,  but  in 
organizational  systems  [Wenk,  1983].  The  contributing  and  compounding  errors 
directly  involved  the  responsible  regulatory  and  industrial  organizations 
[Moore,  1994;  Moore,  Bea,  Roberts,  1993]. 

Experience  indicates  that  the  influences  of  the  organizations  on  the  relia¬ 
bility  of  marine  systems  generally  is  the  most  pervasive  of  the  human  factor  re¬ 
lated  causes  of  accidents  (Figure  6.1).  High  reliability  organizations  inherently 
develop  high  reliability  operators,  systems,  and  operations  (and  vice  versa) 
[Roberts,  1989;  Roberts,  1993;  Koch,  1993].  High  reliability  organizations  gen- 
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erally  focus  on  the  long-term  quality  of  production,  not  on  the  short-term  quan¬ 
tity  of  production.  High  reliability  organizations  generally  take  long-term  views 
and  found  their  short-term  activities  on  their  ability  to  develop  long-term  quality 
productivity.  Low  reliability  organizations  focus  on  short-term  gains  and  pro¬ 
ductivity  [Koch,  1993]. 

The  sources  of  organization  errors  can  be  placed  into  three  general  cate¬ 
gories  [Moore,  Bea,  1993b;  Moore,  1994].  The  first  is  upper  level  management 
The  lack  of  appropriate  resources  and  commitments  to  achieve  reliability  and 
the  provision  of  conflicting  goals  and  incentives  (e.g.  maintain  production  when 
it  needs  to  be  decreased  to  allow  maintenance  to  be  performed  on  the  system)  are 
examples  of  upper  level  management  errors.  The  second  is  front  line  manage¬ 
ment.  Information  filtering  (make  it  look  better  than  it  really  is,  tell  the  boss 
what  he  wants  to  hear  -  good  news),  and  redirection  of  resources  to  achieve  pro¬ 
duction  at  the  expense  of  safety  are  examples  of  font  line  management  errors. 

The  third  category  is  the  design,  construction,  or  operating  team.  Team 
work  in  which  there  is  an  inherent  and  thorough  process  of  checking  and  verifi¬ 
cation  have  proven  to  be  particularly  important:  "if  you  find  a  problem,  you  own 
it  until  it  is  either  solved  or  you  find  someone  to  solve  it"  [Roberts,  1993],  The 
lack  of  team  work  represented  in  poor  communications  between  work  shifts 
(ineffective  permit  to  work  systems)  or  between  work  teams  and  the  platform 
control  room  have  resulted  in  several  major  accidents  [Embrey,  1991; 
Sutherland,  1991].  Communications  break-downs  and  errors  caused  by  lan¬ 
guages  and  cultures  are  a  common  source  of  accidents  in  ship  operations  involv¬ 
ing  crews  of  various  nationalities  [Gathes,  1989;  UK  P&I  Club,  1993]. 

Errors  can  also  be  observed  with  human-system  (equipment,  structure, 
software  or  instructions  manuals)  interfacing.  These  are  described  as  system 
(hardware)  errors  and  procedure  (software)  errors.  System  errors  can  be  at¬ 
tributed  to  design  errors  and  result  in  an  operator  making  improper  decisions. 
Similarly,  the  procedures  and  guidelines  provided  to  design,  construct,  or  oper¬ 
ate  a  system  can  be  seriously  flawed.  System  errors  led  to  the  loss  of  the  ballast 
control  aboard  the  Odeco  Ocean  Ranger  [Pat6-Comell,  Bea,  1989;  Moore,  Bea, 
1993a]  and  emergency  system  failure  aboard  the  Occidental  Piper  Alpha  [UK 
Dept,  of  Energy,  1990;  Martin,  1991].  Appropriate  operating  manuals  on  how  to 
interrupt  potentially  catastrophic  sequences  were  almost  totally  lacking  in  both 
of  these  cases. 

Several  design  errors  have  recently  been  traced  to  design  guidelines  and 
design  software  that  were  seriously  flawed  [Moore,  Bea,  1993b;  Pate-Comell, 
Bea,  1989;  Jakobsen,  1992].  Unnecessary  complexity  and  insufficient  checking 
had  embedded  serious  software  "bugs"  that  resulted  in  serious  design  errors. 

In  1993,  the  American  Petroleum  Institute  issued  the  first  edition  of 
LRFD  guidelines  for  design,  construction,  and  maintenance  of  offshore  plat¬ 
forms:  API  RP  2 A  -  LRFD.1  At  the  same  time  these  guidelines  were  issued, 


1This  effort  required  15  calendar  years  and  an  estimated  10  man-years  to  complete. 
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substantial  changes  were  made  in  the  design  procedures  and  guidelines  to  de¬ 
termine  hydrodynamic  forces.  These  procedures  represented  a  major  technical 
step  forward  in  detailing  how  engineers  could  determine  storm  loadings  acting 
on  offshore  platforms. 

Experienced  engineers  that  were  faced  with  implementation  of  these 
guidelines  made  several  dramatic  mistakes  in  initial  applications.  Their  experi¬ 
ence  with  WSD  did  not  "translate"  to  a  similar  feeling  for  LRFD  results.  The 
complexity  of  the  revised  hydrodynamic  force  guidelines  also  resulted  in  several 
dramatic  over-estimates  of  the  design  forces.  Engineers  would  not  in  general 
take  advantage  of  a  variety  of  load-reduction  parameters  in  the  formulation. 

The  engineers  were  not  properly  trained  or  given  sufficient  resources  of  time  and 
assistance  to  overcome  the  problems  of  these  initial  applications. 

This  experience  suggests  that  when  new  design  guidelines  and  codes  are 
developed,  thought  and  detailed  considerations  should  be  given  to  the  implemen¬ 
tation  and  QA  /  QC  aspects  (implement  TQE).  The  author  has  observed  the  need 
for  similar  considerations  in  development  of  the  ISO  versions  of  the  API  RP  2A 
guidelines.  Engineers  bent  on  "progress"  and  not  founded  in  consideration  of  the 
"human"  aspects  generally  have  little  patience  for  nor  regard  for  such  considera¬ 
tions.  The  best  technology  is  not  necessarily  the  most  complex  technology. 
Elegant  simplicity  and  clarity  need  to  be  emphasized  if  one  is  to  avoid  embed¬ 
ding  errors  and  error  promoting  procedures  in  design  guidelines. 

The  external  and  internal  environments  can  contribute  to  the  error  pro¬ 
ducing  potential  of  the  humans  that  design,  construct,  and  operate  marine  sys¬ 
tems.  External  environmental  factors  such  as  darkness,  extreme  low  tempera¬ 
tures,  and  extreme  storms  can  exacerbate  human  error  producing  potentials 
[ASTM,  1993;  Miller,  1990].  Similarly,  internal  environmental  factors  such  as 
poor  visibility,  smoke,  and  intense  motions  can  cause  errors  [Martin,  1991; 
Moore,  Bea,  1993b]. 

Human  and  organization  interrelationships  with  systems,  procedures,  and 
environments  (internal,  external)  can  be  organized  as  shown  in  Figure  6.9 
[Hawkins,  1987].  There  are  error  producing  potentials  within  each  of  the  pri¬ 
mary  sectors  including  the  human  operators  (designers,  constructors,  operators), 
the  organizations  that  influence  these  operators,  the  systems  themselves 
(hardware),  the  documentation  that  embody  the  manuals  of  use  or  practice  for 
the  systems  (software),  and  finally  the  external  and  internal  environments.  In 
addition  to  the  error  producing  potentials  within  each  of  these  sectors,  there  are 
error  producing  potentials  at  the  interfaces  of  the  sectors  [Reason,  1991;  Roberts, 
1993], 
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Organizations 


Figure  6.9  -  Components  and  interfaces  that  can  lead  to 
human  errors  resulting  in  undesirable  quality 


Human  Errors 


Human  errors  can  be  described  as  actions  taken  by  individuals  that  can 
lead  an  activity  (design,  construction,  operation)  to  realize  a  lower  quality  than 
intended.  These  are  errors  of  commission.  Human  errors  also  include  actions 
not  taken  that  can  lead  an  activity  to  realize  a  lower  quality  than  intended. 
These  are  errors  of  omission. 

Human  errors  might  best  be  described  as  "actions  and  inactions  that  re¬ 
sult  in  lower  than  acceptable  quality"  to  avoid  implications  of  blame  or  shame. 
Human  errors  also  have  been  described  as  "misadministrations."  and  "unsafe  ac¬ 
tions." 


Human  errors  can  be  described  by  types  of  error  mechanisms  (Reason, 
1990).  These  include  slips  or  lapses,  mistakes,  and  circumventions.  Slips  and 
lapses  lead  to  low  quality  actions  where  the  outcome  of  the  action  was  not  what 
was  intended.  Frequently,  the  significance  of  this  type  of  error  is  small  because 
that  these  actions  not  being  as  intended  are  easily  recognized  by  the  person  in¬ 
volved  and  in  most  cases  easily  corrected. 

Mistakes  can  be  developed  while  the  action  was  as  intended,  but  the  in¬ 
tention  was  wrong.  Circumventions  (or  violations)  are  developed  where  a  person 
decides  to  break  some  rule  for  what  seems  to  be  a  good  (or  benign)  reason  to 
simplify  or  avoid  the  task. 
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Mistakes  are  perhaps  the  most  significant  because  they  are  being  fol¬ 
lowed  purposefully  by  the  user  who  has  limited  clues  that  there  is  a  problem. 
Often,  it  takes  an  outsider  to  the  situation  to  identify  mistakes. 

Circumventions  are  potentially  significant  contributors  to  risk  because 
these  conditions  can  result  from  unexpected  combinations  of  errors  and  circum¬ 
ventions. 


Based  on  a  study  of 

major  unanticipated  Table  6.3  -  Human  error  factors 

compromises  of  acceptable 
quality  involving  marine 
structures,  Table  6.3 
summarizes  the  primary 
factors  which  have  resulted 
in  individual  errors.  The 
error  factors  range  from  those 
of  judgment  to  ignorance, 
folly,  and  mischief  [Wenk, 

1986].  Inadequate  training  is 
a  primary  contributor  to 
many  of  the  past  failures  of 
marine  structures.  Fatigue  combined  with  boredom  have  played  a  role  in  many 
of  the  accidents  [Gates,  1989;  Pollard,  et  al,  1990;  Panel  on  Human  Error  in 
Merchant  Marine  Safety,  1976], 


Fatigue 

Wishful  think¬ 
ing 

Bad  judgment 

Negligence 

Mischief 

Carelessness 

Ignorance 

Laziness 

Physical 

Panic 

Violations 

limitations 

Greed 

Drugs 

Boredom 

Folly 

inadequate 

inadequate 

i  Ego 

communication 

training 

Human  errors  are 
magnified  and 
compounded  in  times  of 
extreme  pressure  [Panel 
on  Human  Error  in 
Merchant  Marine  Safety, 
1976;  Martin,  1991]. 
Pressure  results  from  a 
combination  of  task 
complexity,  training  in 
performance  of  the  task, 
the  required  task 
precision,  psychological 
stress,  intensity  of  distrac¬ 
tions,  and  the  severity  of 
impairments. 


Figure  6.10  -  Effects  of  pressures  on  human 
As  shown  in  Figure  performance 
6.10,  optimal  performance 
levels  are  observed  at  an 
"appropriate  level  of 

arousal."  There  is  a  marked  and  rapid  decrease  in  the  performance  reliability 
after  the  optimum  pressure  has  been  passed.  The  human  performance  levels 
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vary  between  individuals  depending  upon  training,  variability  between  individu¬ 
als,  organizational  pressures,  and  complexity  of  the  operating  system. 

Nevertheless,  performance  is  observed  to  deteriorate  when  pressure  levels 
are  either  too  low  or  high.  For  example,  times  of  high  pressures  could  be  effected 
by  stress  or  panic  while  low  human  performances  could  be  the  result  of  boredom 
or  laziness.  Both  extremes  can  contribute  to  increase  the  incidence  of  human  er¬ 
rors. 


A  mishap  is  differentiated  into  three  psychological  stages:  perceiving, 
thinking,  and  acting  (Figure  6  .11)  [Bea,  Moore,  1992;  ASTM,  1993].  The  danger 
threshold  could  be  reached  by  either  a  lack  of  sufficient  time  to  react,  or  errors  in 
perception,  thought  or  action  which  would  either  lengthen  the  time  between 
events  or  increase  the  magnitude  of  the  danger  buildup.  The  perception  stage 
starts  with  a  mishap  and  is  followed  by  a  warning.  The  warning  is  then  noticed 
and  leads  to  recognition  of  the  mishap  source.  The  thinking  stage  begins  with 
the  identification  of  the  problem  and  information  (whether  complete  or  incom¬ 
plete)  is  processed  at  this  stage  to  evaluate  decisions  for  the  best  course  of  ac¬ 
tion.  The  mishap  is  acted  upon  with  execution  of  a  plan  and  the  system  is  re¬ 
turned  to  a  normal  operating  status  or  escalates  to  a  dangerous  state. 


Figure  6.11  -  Effects  of  personnel  selection  &  training  on  crisis 
management 
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Human  intervention  is  responsible  for  near  misses.  Humans  intervene  to 
interrupt  potentially  catastrophic  combinations  of  actions  and  events  to  bring 
systems  back  to  within  the  safe  operating  zone.  Experience  indicates  that  there 
are  generally  many  more  near  misses  than  there  are  major  accidents.  If  recog¬ 
nized,  information  on  near  misses  can  provide  valuable  information  to  prevent 
direct  hits  [Reason,  1991].  Personnel  selection  and  crisis  training  can  have 
marked  influences  on  an  individual's  or  team's  abilities  to  return  a  system  to  a 
safe  state  [Sutherland,  1991]. 


Based  on  a  study  of 
available  accident  databases  on 
marine  systems  and  study  of 
case  histories  in  which  the 
acceptable  quality  of  marine 
systems  has  been  compromised, 
the  primary  factors  which  can 
result  in  human  errors  are 
identified  in  Figure  6.12  [Bea, 
Moore,  1994]. 

This  human  error  classi¬ 
fication  (taxonomy)  is  intended 
to  allow  the  exclusive  and 
exhaustive  identification  of  how 
individuals  can  make  errors  in 
the  design,  construction,  and 
operation  of  marine  structures. 


The  sources  of  mistakes 
or  cognitive  errors  are  further 
detailed  in  Figure  6.13. 


Figure  6.12  -  Classification  of  human  errors 


Figure  6.13  -  Classification  of  cognitive  errors 
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Analysis  of  past  decisions  regarding  the  design,  construction,  and  opera¬ 
tion  of  marine  structures  provides  numerous  examples  of  instances  in  which  or¬ 
ganizational  failures  have  resulted  in  failures  of  marine  systems  [Wenk,  1986; 
Pate-Cornell,  Bea,  1989;  1992;  Petroski,  1985;  Perrow,  1984].  Either  collections 
of  individuals  (organizations,  teams)  or  individuals  (unilateral  actions)  con¬ 
tribute  to  accident  situations.  Failures  can  occur  as  a  result  of  an  organization's 
or  an  individual's  willingness  to  take  a  calculated  risk.  Failures  can  result  from 
different  types  of  inevitable  errors  that  can  be  corrected  in  time,  provided  they 
are  detected,  recognized  as  errors,  and  corrective  action  is  promptly  taken 
[Roberts,  1993].  Failures  can  also  occur  as  the  result  of  errors  or  bad  decisions, 
most  of  which  can  be  traced  back  to  organizational  malfunctions. 

Table  6.4  summarizes  the  primary  factors  which  can  have  negative  effects 
on  organizational  reliability.  For  example,  the  goals  set  by  the  organization  may 
lead  rational  individuals  to  conduct  operations  aboard  a  platform  in  a  manner 
that  corporate  management  would  not  approve  if  they  were  aware  of  their  relia¬ 
bility  implications.  Similarly,  corporate  management,  under  pressures  to  reduce 
costs  and  maintain  schedules,  may  not  provide  the  necessary  resources  required 
to  allow  adequately  safe  operations. 


Table  6.4  -  Organizational  error  factors 


Time  pressures 

Low  quality  culture 

Negative  incentives 

Cost  -  profit  incentives 

Low  worker  morale 

Poor  communications 

Violations 

Ego 

Ineffective  monitoring 
Complex  structure 

Poor  planning  /  training 
Rejection  of  information 

ineffective  regulatory  re¬ 
quirements 

Inequitable 

promotion  -  recognition 

Production 

orientation 

Generally,  two  classes  of  problems  face  an  organization  in  making  collec¬ 
tive  decisions  that  result  from  sequences  of  individual  decisions:  information 
(who  knows  what  and  when?),  and  incentive  (how  are  individuals  rewarded, 
what  decision  criteria  do  they  use,  how  do  these  criteria  fit  the  overall  objectives 
of  the  organization?).  In  development  of  programs  to  improve  management  of 
HOE,  careful  consideration  should  be  given  to  information  (collection,  communi¬ 
cations,  and  learning)  and  incentives,  particularly  as  they  affect  the  balancing  of 
several  objectives  such  as  costs  and  safety  under  uncertainty  in  operations  of  off¬ 
shore  platforms. 

The  structure,  the  procedures,  and  the  culture  of  an  organization  con¬ 
tribute  to  the  safety  of  its  product  and  to  the  economic  efficiency  of  its  risk  man¬ 
agement  practices.  The  organization’s  structure  can  be  unnecessarily  complex 
and  demand  flawless  performance  [Koch,  1993].  This  can  result  in  little  or  no 
credible  feedback  to  the  upper  levels  of  management.  The  resulting  safety  prob- 
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lem  is  that  there  may  be  inconsistencies  in  the  decision  criteria  (e.g.  safety  stan¬ 
dards)  used  by  the  different  groups  for  various  activities.  This  can  result  in  large 
uncertainties  about  the  overall  system  safety,  about  the  reliability  of  the  inter¬ 
faces,  and  about  the  relative  contribution  of  the  different  subsystems  to  the 
overall  failure  probability. 

Organization  and  management  procedures  that  affect  system  reliability 
include,  for  example,  parallel  processing  such  as  developing  design  criteria  at  the 
same  time  as  the  structure  is  being  designed,  a  procedure  that  may  or  may  not 
be  appropriate  in  economic  terms  according  to  the  costs  and  the  uncertainties. 

Experience  indicates 
that  one  of  the  major  factors 
in  organizational  error  is  the 
"culture"  of  the  organization 
[Roberts,  1989;  1993;  Koch, 

1993].  For  example,  the 
dominant  culture  may 
reward  risk  seeking  (flirting 
with  disaster)  or  su¬ 
perhuman  endurance 
(leading  to  excessive 
fatigue),  an  attitude  that  in 
the  long  run  may  prove 
incompatible  with  the 
objectives  of  the 
organization.  Another 
feature  may  be  the  lack  of 
recognition  of  uncertainties 
leading  to  systematic  biases 
towards  optimism  and 
wishful  thinking. 

Organization  error  is 

a  departure  from  acceptable  or  desirable  practice  on  the  part  of  a  group  of 
individuals  that  results  in  unacceptable  or  undesirable  results.  A  summary  of 
the  principal  factors  that  can  contribute  to  or  result  in  organization  errors  is 
given  in  Figure  6.14.  Total  Quality  Management  (TQM)  philosophies,  practices, 
and  procedures  have  been  developed  primary  to  address  the  human  and 
organizational  aspects  associated  with  achieving  quality  in  goods  and  services 
[Ashley,  Pemg,  1987]. 


Figure  6.14  -  Classification  of  organization  errors 
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System  &  Procedure  Errors 


Errors  can  be  initiated  by  or  exacerbated  by  poorly  engineered  systems 
and  procedures  that  invite  errors  [Miller,  1990;  ASTM,  1993].  Such  systems  are 
difficult  to  construct,  operate,  and  maintain.  Table  6.5  summarizes  system  and 
procedures  factors  and  flaws  which  can  affect  the  quality  of  marine  systems. 

New  technologies  compounds  the  problems  of  latent  system  flaws. 
Complex  design,  close  coupling  (failure  of  one  component  leads  to  failure  of  other 
components)  and  severe  performance  demands  on  systems  increase  the  difficulty 
in  controlling  the  impact  of  human  errors  even  in  well  operated  systems. 


Table  6.5  -  System  &  procedure  error  factors 


Complexity 

Latent  flaws 

Severe  demands 

Close  coupling 

Small  tolerances 

False  alarms 

Lack  of  robustness 

Inaccessibility 

Incomplete  software 

incorrect  signals 

Difficult  maintenance 

Poor  visibility 

Emergency  displays  have 
been  found  to  give  improper 
signals  of  the  state  of  the 
systems.  Land  based  industries 
can  spatially  isolate 
independent  subsystems  whose 
joint  failure  modes  would 
constitute  a  total  system  failure. 

System  errors  resulting  from 
complex  designs  and  close 
coupling  are  more  apparent  due 
to  spatial  constraints  aboard 
ships  and  platforms.  The  field 
of  "ergonomics"  has  largely 
developed  to  address  the  human 
-  machine  or  system  interfaces. 

Specific  guidelines  have  been 
developed  to  facilitate  the 
development  of  such  systems  [ASTM,  1993]. 

Figure  6.15  summarizes  a  classification  system  for  system  or  hardware 
related  errors.  These  errors  range  from  insufficient  capacity  and  durability  to 
unacceptable  serviceability  and  compatibility. 

The  issues  of  system  robustness  (defect  or  damage  tolerance),  design  for 
constructablity,  and  design  for  IMR  (Inspection,  Maintenance,  Repair)  are  criti- 


Figure  6.15  -  Classification  of  system  errors 
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cal  aspects  of  engineering  marine  structures  that  will  be  able  to  deliver  accept¬ 
able  quality  [Bea,  1992;  1993a].  Design  of  the  structure  system  to  assure  robust¬ 
ness  is  intended  to  combine  the  beneficial  aspects  of  redundancy,  ductility,  and 
excess  capacity  (it  takes  all  three).  The  result  is  a  defect  and  damage  tolerant 
system  that  is  able  to  maintain  its  serviceability  characteristics  in  the  face  of 
HOE.  This  has  important  ramifications  with  regard  to  structural  design  criteria 
and  guidelines.  Design  for  constructability  and  IMR  have  similar  objectives. 

The  ISO  and  other  similar  guidelines  have  been  developed  to  primarily 
address  the  quality  of  manufactured  systems;  to  assure  that  they  have  accept¬ 
able  and  desirable  levels  of  quality  [ISO,  1987;  BSI,  1990;  Norwegian  Standards, 
1990]. 


Figure  6.16  summarizes  a  classification  system  for  procedure  or  software 
errors.  These  errors  can  be  embedded  in  engineering  design  guidelines  and  com¬ 
puter  programs,  construction  specifications,  and  operations  manuals.  With  the 
advent  of  computers  and  their  integration  into  many  aspects  of  the  design,  con¬ 
struction,  and  operation  of  marine  structures,  software  errors  are  of  particular 
concern  because  "the  computer  is  the  ultimate  fool."  Software  errors  in  which 
incorrect  and  inaccurate  algorithms  were  coded  into  computer  programs  have 
been  at  the  root  cause  of  several  major  failures  of  marine  structures  [ISO,  1987]. 
Guidelines  have  been  developed  to  address  the  quality  of  computer  software  for 
the  performance  of  finite  element  analyses  [National  Agency  for  Finite  Elements 
and  Standards,  1990].  Software  testing  has  been  performed  to  assure  that  the 
software  performs  as  it  should  and  that  the  documentation  is  sufficient. 


Given  the  rapid  pace  at  which 
significant  industrial  and  technical 
developments  have  been  taking  place, 
there  has  been  a  tendency  to  make 
design  guidelines,  construction 
specifications,  and  operating  manuals 
more  and  more  complex.  In  many 
cases,  poor  organization  and 
documentation  of  software  and 
procedures  has  exacerbated  the 
tendencies  for  humans  to  make 
errors.  Simplicity,  clarity, 
completeness,  accuracy,  and  good 
organization  are  desirable  attributes 
in  procedures  developed  for  the 
design,  construction,  and  operation  of 
marine  structures. 


Figure  6.16  -  Classification  of  errors  in 
procedures 
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Unsatisfactory  quality  is  defined  as  undesirable  or  unanticipated  poor  per¬ 
formance  associated  with  the  structures.  The  unsatisfactory  quality  in  marine 
structures  results  from  not  only  in  the  catastrophic  collapse  or  loss  of  the  struc¬ 
ture  (exceed  capacity),  but  as  well  and  perhaps  more  frequently,  results  from  un¬ 
expected  durability  problems  (insufficient  corrosion  and  fatigue  cracking  resis¬ 
tance). 

The  causes  of  unsatisfactory  quality  can  be  organized  into  three  cate¬ 
gories:  1)  those  that  underlie  the  actions,  2)  the  direct  initiating  actions,  and  3) 
the  compounding  or  propagating  actions.  Often,  the  direct  initiating  actions  are 
identified  and  the  more  important  underlying  and  compounding  actions  ignored. 

A  detailed  study  of  case  histories  of  insufficient  quality  in  marine  struc¬ 
tures  indicates  that  while  the  direct  causes  of  failure  can  be  attributed  to  the 
acts  of  individuals,  the  dominant  contributing  and  compounding  causes  are  fun¬ 
damentally  "organizational;"  erroneous  actions  by  groups  of  individuals  that  in¬ 
fluence  the  direct  cause  of  failure  and  exacerbate  or  escalate  its  development 
through  compounded  errors.  Of  the  individual  errors,  the  majority  of  errors  are 
errors  of  commission;  what  was  performed  was  erroneous  and  purposefully  exe¬ 
cuted.  Errors  of  omission  or  what  was  performed  was  not  intentional  account  for 
a  minority  of  the  causes. 

High  consequence  accidents  resulting  from  HOE  can  be  differentiated  into 
those  that  occur  in  design,  construction  and  operation  phases  of  the  marine  sys¬ 
tem's  life  cycle.  Unacceptable  performance  of  a  marine  structure  can  be  the  re¬ 
sult  of  improper  design  and  construction  of  the  system.  Of  the  three  life-cycle 
phases  of  a  marine  structure,  the  majority  of  compromises  in  the  quality  of  the 
structure  occur  during  the  operating  phase  and  can  be  attributed  to  errors  devel¬ 
oped  by  operating  personnel. 

Human  and  organization  interrelationships  with  systems,  procedures,  and 
environments  (internal,  external)  can  be  organized  as  shown  in  Figure  6.9. 

There  are  error  producing  potentials  within  each  of  the  primary  sectors  includ¬ 
ing  the  human  operators  (designers,  constructors,  operators),  the  organizations 
that  influence  these  operators,  the  systems  themselves  (hardware),  the  documen¬ 
tation  that  embody  the  manuals  of  use  or  practice  for  the  systems  (software),  and 
finally  the  external  and  internal  environments.  In  addition  to  the  error  produc¬ 
ing  potentials  within  each  of  these  sectors,  there  are  error  producing  potentials 
at  the  interfaces  of  the  sectors. 

A  taxonomy  or  classification  of  errors  that  can  develop  due  to  the  actions 
or  inactions  of  individuals  (humans),  organizations,  hardware,  and  procedures 
(software)  has  been  provided  in  this  section.  This  classification  has  been  devel¬ 
oped  specifically  for  the  purpose  of  describing  and  evaluating  the  effects  of  hu¬ 
man  errors  in  the  design  and  construction  of  ship  structures. 
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Alternatives 


In  most  cases,  a  combination  of  human,  organization,  and  technical 
(system,  software),  modifications  can  be  used  to  improve  the  quality  level  of  a 
ship  structure  to  acceptable  and  desirable  levels.  Table  7.1  lists  some  effective 
human,  organizational,  and  system  improvement  factors  which  can  benefit 
the  quality  of  ship  structures. 


Table  7.1  -  Quality  improvement  strategies 


Human 

Organization 

System  & 
Software 

Selection 

Resource  allocation 

Human  tolerances 

Communications 

Robustness 

Licensing 

Decision  making 

Early  warning  systems 

Verification,  checking 

Process  orientation 

Reasonable  tolerances 

incentives 

integrity 

mssssis  ini^H 

Planning 

Preparation 

Simplicity,  clarity 

Job  design 

Design  for  con- 

Accountability 

ESSIMIHsHH 

structability 

Role  of  Human  Error  In  Reliability  of  Marine  Structures 

There  are  two  fundamental  1 

approaches  to  improve  the  management  of 
HOE  to  achieve  desirable  and  acceptable  w 
quality  in  ship  structures:  p 

1)  improve  the  management  of  the 
causes  to  reduce  the  incidence  of 
HOE,  and 

2)  improve  the  management  of  the 
consequences  to  reduce  the  effects  of 
HOE. 

There  are  three  time  frames  in  which 
one  can  focus  HOE  management  activities: 

1)  prevent  errors  before  the  activity, 

2)  detect  and  correct  errors  during  the  Figure  71 .  Life-cycle  QA  /  QC 

activity,  efforts 

3)  reduce  the  consequences  of  the 
errors  after  the  error  is  committed. 

These  two  approaches  and  management  time  frames  will  be  cast  in  the 
context  of  Quality  Assurance  (QA)  and  Quality  Control  (QC)  activities.  As  dis¬ 
cussed  in  Chapter  4  (Figure  7.1),  these  activities  should  be  continuous  pro¬ 
cesses  that  are  conducted  throughout  the  life-cycle  of  a  ship  structure. 

As  discussed  in  Chapter  4,  experience  has  amply  demonstrated  in  both 
marine  and  non-marine  structures  that  "an  ounce  of  prevention  is  worth  ten 
tons  of  cure."  The  earlier  quality  problems  can  be  detected  and  corrected,  then 
the  lower  the  costs  and  other  consequences  associated  with  unanticipated  and 
undesirable  low  quality.  Thus,  there  is  a  large  premium  associated  with  pre¬ 
vention  and  avoidance. 

Detection  and  correction  (removal,  repair)  also  play  vital  roles  in  QA  / 

QC  activities.  As  discussed  in  Chapter  5,  experience  has  demonstrated  that 
the  most  effective  detection  of  major  HOE  is  "external"  to  the  situations  that 
cause  the  HOE.  Sufficient  resources  of  experience,  knowledge,  money,  and 
time  and  positive  incentives  for  detecting  errors  are  needed  if  there  is  to  be  ef¬ 
fective  error  detection. 

It  is  surprising  often  how  correction  is  under-estimated.  Sufficient  pro¬ 
visions  are  not  made  for  correcting  errors  when  they  are  found,  and  the  "fixes" 
become  problematic.  Detailed  thinking  and  evaluations  are  necessary  to  prop¬ 
erly  define  what  should  be  done  when  major  errors  are  detected.  Wishful 
thinking  seems  to  be  behind  much  of  the  problems  associated  with  error  cor¬ 
rection:  "it  will  never  happen  to  me,"  or  "we  got  by  before." 
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The  management  of  consequences  generally  also  has  been  under-esti¬ 
mated.  In  this  regard,  there  is  one  general  rule:  there  will  be  HOE.  Defenses 
in  depth  are  required  to  limit  or  manage  the  consequences  of  this  HOE.  In  the 
structural  design  area,  design  for  robustness  or  damage  tolerance  has  begun 
to  be  recognized  as  an  explicit  requirement  in  the  structure  system.  If  there  is 
a  high  probability  for  a  certain  type  of  defect  or  damage,  then  it  makes  sense  to 
provide  robustness  (combination  of  redundancy,  ductility,  and  excess  capacity) 
so  that  there  is  not  a  significant  degradation  in  the  quality  of  the  structure.  It 
is  for  this  reason  that  in  design  for  fatigue  durability,  "fail  safe"  design  is  used 
in  many  cases  rather  than  "safe  life"  design. 

The  life-cycle  QA  /  QC  approaches  of  prevention  and  management  will 
be  discussed  in  the  following  parts  of  this  chapter  as  they  apply  to  the  design 
and  construction  of  ship  structures.  The  concluding  section  of  this  chapter 
suggests  responsibilities  for  improvements  in  the  quality  of  ship  structures. 


Team  Performance 


A  particularly  important  aspect  of  quality  improvement  regards  "team 
building."  Team-work  on  the  front  lines  of  the  design  and  construction  pro¬ 
cesses  can  provide  a  large  measure  of  internal  QA  /  QC  during  these  opera¬ 
tions  [Huey,  Wickens,  1993].  Most  important,  such  team-work  can  be  respon¬ 
sible  for  interrupting  potentially  serious  and  compounding  sequences  of  events 
that  have  not  been  anticipated.  It  is  such  teamwork  that  is  largely  responsible 
for  "near  misses."  And,  it  is  for  this  reason  that  there  are  many  more  near 
misses  than  there  are  accidents. 

Crew  -  team  performance  has  been  studied  in  a  variety  of  different  set¬ 
tings  [Huey,  Wickens,  1993].  These  studies  have  indicated  that  there  are  series 
of  key  factors  that  influence  crew  -  team  performance.  These  are  summarized 
in  Table  7.2.  These  factors  represent  a  merging  of  the  primary  human  and  or¬ 
ganization  management  alternatives  identified  in  Table  6.1. 


Table  7.2  -  Crew  -  team  performance  factors 


Communications 

Procedures 

Information  evaluation 

Personnel  selection 

Organization 

Distributed  decision 

Training 

Leadership 

making 

Planning 

Monitoring 

Appropriate  operation 

Preparations 

Information  seeking, 

strategies 

Discipline 

observations 

Controlling 

Quality  incentives 
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Variables  that  affect  team  performance  include  rest  (fatigue),  physical 
conditioning,  boredom,  stress,  anxiety,  fear,  training,  and  design  of  the  hard¬ 
ware  and  software  that  comprise  the  system.  Given  these  variables,  it  is  an 
important  objective  to  manage  the  variables  so  that  team  performance  can  be 
maximized.  Provision  of  sufficient  rest,  encouragement  of  good  physical  con¬ 
ditioning,  job  design  to  relieve  boredom,  reduction  of  unnecessary  stresses  and 
providing  for  stress  relief,  removal  of  unnecessary  anxiety  and  fear,  provision 
of  sufficient  training  and  verifying  that  the  training  has  been  absorbed  into  the 
work  tasks,  and  design  of  the  hardware  and  software  so  that  the  chances  of  er¬ 
rors  are  minimized  are  examples  of  team  performance  variables  quality  man¬ 
agement. 

The  task  difficulty  for  the  team  performance  is  comprised  of  the  goals 
and  performance  criteria,  the  task  structure  and  schedule,  the  quality  and 
modality  of  information  and  communications,  the  cognitive  processing  re¬ 
quired,  and  the  characteristics  of  response  devices  and  documentation  system. 
In  quality  improvement,  one  important  objective  is  to  manage  the  task  diffi¬ 
culty  to  an  optimum  level;  reducing  the  task  difficulty  to  the  level  that  will  pro¬ 
duce  the  optimum  team  performance.  Clear  and  non-conflicting  goals  and 
performance  criteria,  simplified  task  structure,  provision  of  sufficient  time  to 
perform  the  tasks,  providing  clear,  concise,  and  timely  communications,  min¬ 
imizing  the  cognitive  processing  required  to  perform  the  tasks,  and  making 
the  response  and  documentation  system  as  simple  and  clear  as  possible  are 
examples  of  task  difficulty  quality  management  strategies. 


Design 


Figure  7.2  shows  a  generic 
design  process  for  a  marine 
structure.  The  principal  phases  in¬ 
clude  concept  development, 
configuration,  loading  analyses, 
structural  analyses,  and  design 
documentation.  The  individuals 
working  on  the  design  (design 
team)  can  make  errors  which  can 
compromise  the  intended  quality  of 
the  design  process  [Hallas,  1991]. 
The  potential  for  the  errors  can  be 
influenced  by  the  organizations, 
procedures,  hardware,  and 
environment  that  interface  with  the 
individuals  that  perform  the 
design.  QA  /  QC  is  indicated  to  be  a 


Figure  7.2  -  Human  factor  influences  in 
the  design  process  for  a  marine  struc¬ 
ture 


continuous  process  through  the  de¬ 
sign  to  assure  that  the  desirable  quality  is  achieved  [ISO,  1994]. 
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Development,  documentation  and  evaluation  of  advances  and  improve¬ 
ments  made  in  the  engineering  technology  used  to  design,  construct,  and  op¬ 
erate  ship  structures  is  a  main  theme  of  the  Ship  Structure  Committee 
Research.  Reference  to  the  list  of  SSC  reports  provides  ample  evidence  of  the 
growth  of  the  technology  to  design  and  maintain  ship  structures. 

Recent  experience  with  lack  of  sufficient  quality  in  ship  structures  pro¬ 
vides  ample  evidence  that  it  is  not  the  available  technology  that  provides  the 
primary  impediments  to  realizing  sufficient  quality  in  ship  structures.  It  is  its 
timely,  wise,  and  correct  application  [Bea,  1992,  1993a]. 

Recent  experience  in  which  the 
quality  of  marine  structures  have  been 
compromised  during  the  design 
indicate  that  there  can  be  errors  in 
any  one  or  all  of  the  principal  phases. 

Generally,  it  is  the  unfavorable 
compounding  of  more  than  one  major 
error  that  can  cause  such  a 
compromise. 

Table  7.3  summarizes  some  of 
the  key  elements  that  have  resulted  in 
major  problems  that  were  traceable  to 
design.  Design  processes  that  possess 
a  combination  of  these  factors  would 
be  those  that  have  a  high  potential  for 
compromises  in  the  intended  quality 
of  the  marine  structure.  It  should  be 
a  primary  objective  of  QA  /  QC  design 
measures  to  first  prevent  the 
occurrence  of  these  factors  and  second 
to  place  checks  in  the  primary  parts  of 
the  design  process  to  verify  that  they 
are  not  developing  into  an  undesirable 
compromise  in  the  quality  of  the  ship 
structure. 

An  example  of  such 
development  was  that  associated  with 
the  recall  of  the  second  generation  of 
Very  Large  Crude  Carriers  (VLCC, 

240,000  to  260,000  DWT)  tankers  by  Mitsubishi  Heavy  Industries  (MHI)  in  1990. 
This  recall  was  initiated  after  a  large  number  of  major  cracks  were  found  in 
the  cargo  tanks  of  one  VLCC  delivered  less  than  five  years  earlier.  The  cracks 
occurred  in  the  side  shell  longitudinals,  close  to  the  point  where  they  met  the 
transverse  bulkheads  and  frames,  about  two-thirds  up  the  side.  The  side  shell 
and  longitudinals  were  made  from  high  tensile  steel. 


Table  7.3  -  Factors  influencing  the 
occurrence  of  design  errors 


1  new  or  complex  design  guidelines 
and  specifications 
’  new  or  unusual  materials 
•  new  or  unusual  types  of  loading 
1  new  or  unusual  types  of  struc¬ 
tures 

1  new  or  complex  computer  pro¬ 
grams 

’  limited  qualifications  and  experi¬ 
ence  of  engineering  personnel 
1  poor  organization  and  manage¬ 
ment  of 

engineering  personnel 
insufficient  research,  develop¬ 
ment  and  testing  background 
major  extrapolations  of  past  engi¬ 
neering  experience 
poor  financial  climate,  initial  cost 
cutting 

poor  quality  incentives  and  quality 
control  procedures 
insufficient  time,  materials,  pro- 
cedures,  and  hardware _ 
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It  was  related  later  (Kamoi,  1993)  that  this  development  had  occurred  in 
the  following  way.  The  ship  structure  was  designed  by  MHI  using  current 
classification  society  rules.  Even  though  they  existed  and  had  been  highly  de¬ 
veloped  by  MHI,  first  principal  methods  to  compute  loadings  and  structure 
stresses  were  not  used.  Further,  there  was  no  explicit  design  or  analysis  for 
fatigue  of  the  ship  structure.  The  ship  structure  was  designed  based  on  the 
use  of  conventional  mild  steel. 

After  the  ship  design  was  completed  and  documented,  it  was  passed  to 
the  yard  for  construction.  The  construction  yard  decided  that  higher  tensile 
strength  steels  would  be  used  to  reduce  the  weight  of  the  ship  structure  in  this 
class  of  VLCC.  This  would  lower  the  initial  costs,  make  the  yard  more  compet¬ 
itive,  and  increase  the  cargo  volumes.  Scantlings  and  plating  were  reduced  in 
thickness  in  proportion  to  the  increase  in  the  tensile  strength  of  the  steel.  The 
ship  structure  designers  were  not  consulted  about  this  change. 

In  the  review  of  the  design  and  construction,  the  classification  society 
(NK)  did  not  determine  that  there  was  anything  wrong  with  the  change  in  the 
grades  of  steel.  There  had  not  been  any  significant  compromise  in  the 
strength  or  capacity  of  the  ship  structure.  There  were  no  provisions  for  verify¬ 
ing  that  the  ship  structure  had  sufficient  or  desirable  durability. 

Thus  the  class  of  ships  were  constructed  and  classed.  However,  they  did 
not  have  sufficient  durability  and  very  costly  measures  were  required  to  pro¬ 
vide  the  necessary  durability. 

This  compromise  in  quality  occurred  because  of  a  compounding  of  fac¬ 
tors.  Not  using  the  available  technology,  a  break  down  in  communications  be¬ 
tween  the  design  and  construction  organizations,  a  contracting  and  financial 
climate  that  did  not  include  a  premium  for  durability,  and  the  inability  of  the 
classification  society  to  determine  that  there  would  be  a  significant  reduction 
in  the  durability  with  the  change  in  steel  grade  lead  to  this  costly  compromise. 
There  have  been  other  similar  problems  with  other  classes  of  crude  carriers. 

The  effect  of  a  design  error  depends  on  the  type  and  magnitude  of  the  er¬ 
ror  and  the  sensitivity  of  the  structure  element  to  the  error.  Figure  7.3  shows 
the  likelihood  of  unsatisfactory  quality  in  a  structure  element  (Pfs  I  e)  condi¬ 
tional  on  the  magnitude  and  type  of  human  error.  Error  tolerant  and  error  in¬ 
tolerant  elements  are  indicated  [Stewart,  1990]. 

It  would  be  desirable  that  QA  /  QC  be  very  stringent  for  the  error  intoler¬ 
ant  elements.  Also,  it  would  be  desirable  to  configure  or  design  the  element  or 
component  so  that  it  could  be  error  tolerant  for  the  highly  likely  types  of  design, 
construction,  and  /  or  operations  errors.  The  design  of  damage  or  defect  toler¬ 
ant  ("robust")  structures  is  very  desirable  [Bea,  1992].  The  sensitivities  of  vari¬ 
ous  parts  of  a  particular  structure  and  various  parts  of  a  particular  design 
process  can  be  studied  beforehand  to  determine  those  parts  that  are  most  error 
intolerant.  Re-design  and  QA  /  QC  efforts  can  thus  be  directed  at  those  ele¬ 
ments  and  aspects  that  have  the  highest  criticality.  These  same  elements  and 
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components  could  become  those  that  are  watched  most  closely  during  the  con¬ 
struction  and  dining  operations.  Inspections  can  be  directed  to  confirm  the 
quality  and  condition  of  the  elements  that  are  the  most  important  to  the  in¬ 
tegrity  of  the  ship  structure  and  that  are  the  most  intolerant  of  low  quality  fac¬ 
tors. 


Table  7.4  addresses  four  key 
questions  associated  with  design 
QA  /  QC:  "what,  when,  how,  and 
who  to  check"  [Knoll,  1986].  High 
consequence  of  error  parts  are 
those  aspects  of  the  design  process 
that  are  error  intolerant  (Figure 
7.3).  These  are  a  high  priority  for 
QA  /  QC  measures  [Stewart,  1990]. 

Early  checking  is 
particularly  important  to  identify 
and  correct  mistakes  that  can 
become  embedded  in  the  entire 
process.  As  more  time  is  allowed  to 
pass,  these  embedded  mistakes 
become  more  and  more  difficult  to 
detect  and  expensive  to  correct. 
Based  on  the  work  published  by 
Knoll  [1986],  Figure  7.4  shows  how 
insufficient  checking  in  a  design 
process  allows  the  accumulation  of 
errors  through  the  design  phase. 
Announced  external  audits  with 
effective  mechanisms  for  checking 
detect  these  errors  so  that  they  can 
be  kept  to  an  acceptable  level.  The 
timing  of  these  audits  is  best 
scheduled  before  the  design  starts 
(to  detect  and  correct  critical  flaws 
in  the  proposed  approaches), 
during  the  critical  parts  of  the 
design  (to  detect  and  correct  major 
errors  of  commission  and 
omission),  and  after  the  design 
documentation  has  been  completed 
(to  detect  major  errors  in  the  plans 
and  specifications  that  will  be  used 
for  construction). 


Magnitude  (Y)  of  Type  (X)  of  Human  Error 


Figure  7.3  -  Likelihood  of  unsatisfactory 
quality  for  error  tolerant  and  intolerant 
structure  elements 


Figure  7.4  -  Accumulated  errors  in  the 
structure  design  process  with  and 
without  external  checking 
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The  "hows"  of  checking  are 
particularly  important  [Knoll,  1986]. 
The  use  of  qualified  and  experienced 
engineers  provided  with  sufficient 
time  and  information  resources  is 
very  important.  Figures  7.5  and  7.6 
show  information  that  was  developed 
from  the  research  performed  by 
Melchers  and  Stewart  [1980-1990]. 
These  are  Probability  of  Detection 
(POD)  curves  developed  for  errors 
made  in  the  design  of  non-marine 
structures.  The  error  magnitude 
refers  to  the  size  of  the  error 
committed  in  the  structural  analysis. 
Positive  error  magnitudes  are 
indicated  (too  conservative).  Negative 
error  magnitudes  would  have  a 
different  POD  curves.  Experienced 
QA  /  QC  is  able  to  detect  smaller 
errors  with  a  higher  probability. 
Provision  of  more  time  for  checking 
allows  smaller  errors  to  be  detected 
with  greater  probabilities. 

The  work  of  Melchers  and 
Stewart  was  based  on  the  results  of 
questionnaires  directed  to  building 
design  firms  in  Australia.  These 
represent  the  mean  results  of  the 
responses.  This  is  extremely  useful 
and  valuable  information.  But,  it 
needs  to  be  further  developed  and 
directed  to  the  specifics  of  ship 
structures  before  it  could  be  used  with 


ERROR  MAGNITUDE  -  % 


Figure  7.5  -  Effects  of  QA  /  QC 
"experience"  on  the  POD  of  structural 
analysis  errors 


ERROR  MAGNITUDE -% 


Figure  7.6  -  Effects  of  QA  /  QC 
allocated  time  on  the  POD  of 
structural  analysis  errors 


surety.  Given  that  there  is  further  de¬ 
velopment  of  procedures  and  processes  for  the  improved  management  of  HOE 
in  the  design  and  construction  processes,  development  of  HOE  QA  /  QC  alter¬ 
natives,  procedures,  and  quantified  data  on  the  effectiveness  of  these  alterna¬ 
tives  and  procedures  should  be  a  high  priority  effort. 


As  discussed  in  Chapter  6,  following  the  failure  of  Sleipner  A  platform, 
one  of  the  primary  changes  made  in  the  design  process  for  the  replacement 
platform  was  a  dramatic  increase  in  the  resources  provided  for  checking;  a  400 
%  increase  [Jakobsen,  1992].  Personnel  selection  and  training  was  revised. 
Detailed  procedures  for  the  performance  of  the  FEA  were  developed.  Physical 
testing  of  critical  components  was  undertaken.  And,  the  error  intolerant  "star 
cells"  and  their  reinforcement  were  modified  to  develop  a  more  robust  struc¬ 
ture  system  [Rettedal,  et  al.,  1993].  All  of  these  measures  are  excellent  exam- 
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pies  of  QA  /  QC  in  the  design  process  to  manage  HOE.  In  the  wake  of  the  $  1 
billion  disaster,  little  expense  was  spared  to  assure  that  the  replacement  plat¬ 
form  would  not  experience  the  same  or  similar  "embedded  flaws"  in  the  struc¬ 
ture  design  process.  It  didn't. 


Table  7.4  -  Design  QA  /  QC  strategies 


•  WHAT TO  CHECK? 

-  high  likelihood  of  error  parts  (e.g.  as¬ 
sumptions,  loadings,  documentation) 

-  high  consequence  of  error  parts 

•  WHEN TO  CHECK? 

-  before  design  starts  (verify  process, 
qualify  team) 

-  during  concept  development 

-  periodically  during  remainder  of  pro¬ 
cess 

-  after  design  documentation  completed 


•  HOW TO  CHECK? 

-  direct  toward  the  important  parts  of  the 
structure  (error  intolerant) 

-  be  independent  from  circumstances 
which  lead  to  generation  of  the  design 

-  use  qualified  and  experienced  engineers 

-  provide  sufficient  QA  /  QC  resources 

-  assure  constructability  and  IMR 

•WHO  TO  CHECK? 

-  the  organizations  most  prone  to  errors 

-  the  design  teams  most  prone  to  errors 

-  the  individuals  most  prone  to  errors 


Construction 


Figure  7.7  shows  a  generic  construction  process  for  a  marine  structure. 
The  principal  phases  include  contracting,  planning,  lofting,  procurement, 
cutting  and  forming,  fabrication,  and  commissioning.  The  individuals  work¬ 
ing  on  the  construction  (construction  team)  can  make  errors  which  can  com¬ 
promise  the  intended  quality  of  the  design  process  [Alarcon-Cardenas,  1992]. 
The  potential  for  the  errors  can  be  influenced  by  the  organizations,  procedures, 
hardware,  and  environment  that  interface  with  the  individuals  that  perform 
the  construction.  QA  /  QC  is  indicated  to  be  a  continuous  process  through  the 
design  to  assure  that  the  desirable  quality  is  achieved  [Al-Bahar,  1988]. 

The  implementation  of  QA  /  QC  in  construction  may  be  summarized  by 
identifying  three  levels  [ISO,  1987]: 

1)  establishment  of  QC  procedures  to  monitor  quality. 

2)  establishment  of  a  QA  system  suitable  for  the  manufactured  product 
in  accordance  with  recognized  standards. 

3)  establishment  of  a  QA  system  suitable  for  the  manufactured  product 
in  accordance  with  recognized  international  standards  and  its  certifi¬ 
cation  by  an  independent  certifying  authority. 
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Quality  Control  Procedures 

The  implementation  of 
simple  QC  procedures  to  deal  with 
quality  requirements  is  a  solution 
that  should  not  be  accepted. 
Knowledge  of  the  reference  quality 
rules  and  regulations,  a  rational 
organization  of  the  quality  staff,  the 
accuracy  and  completeness  of  the 
documents  (procedures,  plans)  pro¬ 
duced,  and  validity  of  the  final 
records  issued  are  always  critical 
points  related  to  a  QC  approach. 


CONSTRUCTION  PROCESS 


Knowledge  of  the  technical  Figure  7.7  -  Human  factor  influences  in 
rules  and  a  basic  knowledge  of  the  the  construction  of  a  marine  structure 
quality  standards  may  allow 
constructors  to  develop  workshop 
quality  control  plans  [Ross,  1984], 

This  is  the  average  level  of  capability  of  small  to  medium  constructors  without 
a  specific  quality  policy. 


The  appointment  of  people  responsible  for  the  quality  of  each  work  area, 
the  issue  of  a  quality  manual  and  related  procedures  for  each  discipline  in¬ 
volved  in  the  construction  (reception  of  materials,  storage,  cutting,  welding, 
prefabrication,  fabrication,  inspections)  and  the  organization  of  all  records  for 
the  activities  can  not  be  improvised  for  a  constructor  not  organized  according 
to  a  comprehensive  quality  policy. 


Quality  Assurance  Procedures 

A  correct  approach  by  the  yard  management  to  a  quality  policy  in  line 
with  recognized  standards  and  therefore  the  establishment  of  a  QA  system  is 
presently  the  aim  of  most  major  constructors  of  marine  structures.  It  is  a 
mandatory  requirement  to  work  on  demanding  projects.  Major  requests  for 
tender  to  yards  for  a  new  naval  or  offshore  project  are  issued  today  taking  into 
account  specific  requirements  for  a  QA  /  QC  system. 

Safety  and  reliability  of  marine  structures,  highly  complex  projects,  co¬ 
operation  of  many  organizations  and  contractors,  involvement  of  regulatory 
authorities,  very  large  commercial  investments,  and  tight  time  schedules  jus¬ 
tify  the  implementation  of  an  overall  QA  /  QC  system. 

Significant  evidence  and  justification  of  the  need  for  a  reliable  QA  /  QC 
system  may  be  identified  by  looking  at  the  relationship  between  cost  and  time 
for  different  project  phases.  The  cost  of  possible  modifications  increases  on  an 
exponential  basis  as  the  project  develops,  to  become  prohibitive  during  the  final 


116 


Chapter  7 


Alternatives  for  Management  of  Human  Errors 


offshore  installation  of  a  marine  structures.  On  the  other  hand,  the  likelihood 
of  the  project  management  being  able  to  deal  with  the  modifications  decreases 
mirror-like  during  the  same  phases  [Crevani,  1986]. 


One  basic  concept  of  QA  /  QC  is 
that  different  quality  levels  should  be 
defined  for  the  different  elements  and 
components  comprising  a  marine 
structure  system  depending  on  the 
"criticality"  of  the  manufactured  item 
[BSI,  1990;  Norwegian  Standards, 
1990].  If  the  manufacturing  quality  of 
a  particular  system  is  particularly 
sensitive  to  errors  or  defects,  then 
increased  levels  of  QA  /  QC  should  be 
directed  to  that  particular  system. 
Lesser  levels  of  QA  /  QC  should  be 
directed  to  items  that  are  less  critical  to 
the  quality  of  a  system.  Emphasis 
should  be  put  on  the  definition  of  the 
criticality  levels,  to  properly  choose  the 
most  adequate  QA/  QC  scheme  for 
each  item  to  be  built. 

Three  levels  of  QA  requirements 
have  been  identified  in  international 
standards.  These  schemes  have 
appeared  in  the  Norwegian  standards 
NS  5801,  2,  and  3  [1990],  and  the  same 
principles  were  implemented  in  the 
subsequent  BS  5750,  ISO  9001,  9002, 
and  9003  standards  [1990],  and  the 
harmonized  European  standards  EN 
29001, 29002,  and  29003  [1990]. 

A  synoptic  table  of  comparison  of 
the  main  requirements  of  the  three 
quality  models  for  three  levels  of 
criticality  (most  to  least)  presented  in 
reference  [Crevani,  1986]  is  given  in 
Table  7.5. 


Table  7.5  -  Comparison  of  QA  /  QC 
construction  requirements  for  dif¬ 
ferent  levels  of  criticality 


LEVEL* 


Requirement 

1 

2 

3 

General  requirements 

• 

o 

0 

Organization 

• 

o 

0 

Planning 

• 

o 

0 

Job  Instructions  and  proce¬ 
dures 

• 

o 

Documentation 

Development  and  design 
Subcontracts 

• 

• 

o 

-  General 

• 

o 

-  Purchasing  document 

• 

• 

-  Receiving  inspection 

• 

• 

Identification,  marking, 
storage,  shipping 

• 

o 

Measuring  and  testing 

• 

o 

0 

Production 

• 

o 

0 

Inspection 

• 

o 

Records 

• 

o 

Control  of  non-conformance 

• 

o 

0 

Corrective  action 

• 

o 

0 

Final  inspections 

• 

o 

Quality  audit 

• 

• 

o 

o 

o 

*  Level  1  most  critical 

•  most  extensive  requirements 

o  reduced  requirements  relative  to  • 
o  reduced  requirements  relative  to  o 


Certification  of  compliance  with  one  of  the  QA  /  QC  schemes  requires 
assessment  of  the  yard's  system  to  be  made  by  a  recognized  independent  au¬ 
thority  or  third  party  [ISO,  1987].  The  evaluation  is  to  be  an  accurate  on-site 
examination  of  the  company's  quality  policy,  procedures  and  records,  and 
their  implementation.  The  major  goal  of  the  assessment  is  to  determine 
whether  the  QA  system  complies  with  the  reference  standard  and  is  really  im- 
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plemented  and  permeates  all  yard  departments  that  may  influence  the  final 
quality  of  the  product. 

Certified  companies  are  systematically  audited  by  the  third  party  to 
monitor  the  efficiency  of  the  system,  to  detect  possible  non  conformities  and 
promote  the  most  appropriate  corrective  actions  aimed  at  improving  the  QA 
structure  or  QC  procedures. 

The  requirement  for  certification  of  an  QA  /  QC  system  depends  basi¬ 
cally  on  regulatory  requirements,  client  requirements,  and  a  strategy  of  the 
construction  yard  to  be  competitive  with  the  quality  of  its  products. 


Inspections,  Maintenance,  Repairs 


Inspection,  maintenance,  and  repairs  (IMR)  are  a  critical  part  of  the 
structural  QA  /  QC  process  during  operations  [Bea,  1992].  The  IMR  process 
must  be  in  place,  working,  and  being  further  developed  during  the  entire  life¬ 
time  of  the  structure.  The  IMR  process  is  responsible  for  maintaining  the 
quality  of  the  structure  during  the  useful  lifetime  of  the  structure. 

A  fundamental  and  essential  part  of  the  IMR  process  is  knowledge.  The 
IMR  process  can  be  no  more  effective  or  efficient  than  the  knowledge,  data, 
and  experience  that  forms  the  basis  for  the  process. 

The  IMR  process  must  be  diligent  and  disciplined  and  have  integrity. 
There  must  be  a  focus  on  the  quality  of  the  performance  of  the  process;  quality 
of  the  structure  will  be  a  natural  by-product. 

The  IMR  process  should  investigate  a  wide  variety  of  alternatives  to  ac¬ 
complish  its  fundamental  objectives  (maintenance  of  strength  and  serviceabil¬ 
ity).  Inspections  can  range  from  general  to  detailed,  visual  to  acoustic,  peri¬ 
odic  to  continuous  (monitoring).  Maintenance  can  range  from  patching  to 
complete  replacement.  Repairs  can  range  from  replacement  as-was  to  re-de- 
sign  and  replacement;  temporary  to  permanent;  from  complete  and  compre¬ 
hensive  to  judicious  neglect. 

The  IMR  process  can  be  proactive  (focused  on  prevention),  or  it  can  be 
reactive  (focused  on  correction).  The  IMR  process  can  be  periodic  (time  based), 
or  it  can  be  condition  oriented  (occasion  based).  Combinations  of  proactive,  re¬ 
active,  periodic,  and  condition  based  approaches  can  be  appropriate  for  differ¬ 
ent  IMR  programs.  A  major  challenge  is  to  find  the  combination  that  best  fits 
a  particular  fleet,  its  operations,  and  its  organizations. 

An  IMR  process  should  define  the  combinations  and  permutations  of 
IMR  that  will  produce  the  lowest  total  costs  (initial  and  future)  and  optimize 
the  use  of  resources  without  compromising  minimum  safety  and  reliability  re¬ 
quirements. 
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The  fundamental  purpose  of  inspections  is  to  provide  information  and 
knowledge  concerning  the  proposed,  present,  and  future  integrity  of  the  struc¬ 
ture. 


The  first  fundamental  purpose  of  inspections  is  to  "disclose  what 
is  not  known".  The  second  fundamental  purpose  is  to  "confirm 
what  is  thought". 

Quantitative  inspection  analyses  can  help  address  the  second  purpose; 
providing  insights  into  when,  where,  and  how  to  inspect.  Such  analyses  can 
not  be  relied  upon  to  provide  information  that  will  address  the  first  purpose. 

Inspections,  data  recording,  data  archiving  (storage),  and  data  analysis 
should  all  be  a  part  of  a  comprehensive  and  integrated  inspection  system. 
Records  and  thorough  understanding  of  the  information  contained  in  these 
records  are  a  key  aspect  of  inspection  programs. 

Inspections  should  be  focused  on: 

•  Determination  of  condition  of  the  structure; 

•  Disclosure  of  defects  (design,  construction,  maintenance); 

•  Assurance  of  conformance  with  plans  and  specifications,  guidelines 
and  rules,  and  quality  requirements; 

•  Disclosure  of  damage, 

•  Development  of  information  to  improve  design,  construction,  and 
maintenance  procedures. 

Inspections  should  be  full-scope  and  include  quality  assurance  and  con¬ 
trol  measures  in  the  structure,  equipment,  facilities,  and  personnel. 

Definition  of  the  elements  to  be  inspected  is  based  on  two  principal  aspects: 

•  Consequences  of  defects  and  damage,  and 

•  Likelihoods  of  defects  and  damage. 

The  consequence  evaluation  is  essentially  focused  on  defining  those  el¬ 
ements,  and  components  that  have  a  major  influence  on  the  quality  of  a  ma¬ 
rine  structure.  Evaluation  of  the  potential  consequences  should  be  based  on 
historical  data  (experience)  and  analysis  to  define  the  elements  that  are  criti¬ 
cal  to  maintaining  the  integrity  of  a  marine  structure. 

The  likelihood  evaluation  is  focused  on  defining  those  elements  that 
have  high  Likelihoods  of  being  damaged  and  defective.  Experience  and  analy¬ 
sis  are  complementary  means  of  identifying  these  elements. 
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Structural  monitoring  systems  can  provide  important  information  dur¬ 
ing  operations.  These  systems  can  provide  intermittent  and  continuous  data 
on  the  performance  characteristics  of  the  structure.  These  systems  can  pro¬ 
vide  important  information  to  improve  design,  construction,  and  operations  of 
marine  structures. 

There  are  no  general  answers  to  the  timing  of  inspections.  The  timing 
of  inspections  are  dependent  on: 

•  The  initial  and  long-term  durability  characteristics  of  the  structure; 

•  The  margins  that  the  operator  wants  in  place  over  minimums  so  that 

there  is  sufficient  time  to  plan  and  implement  effective  repairs; 

•  The  quality  of  the  inspections  and  repairs;  and 

•  The  basis  for  maintenance  -  "on  demand”  (repair  when  it  "breaks  or 

leaks"  or  "programmed"  (repair  or  replace  on  standard  time  basis). 

Marine  structures  that  have  been  designed  and  constructed  for  durabil¬ 
ity  can  be  expected  to  have  longer  periods  of  time  between  inspections  than 
those  that  have  not  been  designed  and  constructed  for  durability.  Structures 
that  are  maintained  so  as  to  permit  evaluation  and  planning  time  in  advance 
of  the  next  IMR  will  have  more  frequently  scheduled  inspections  than  those 
that  wait  until  the  minimums  are  reached  and  then  must  immediately  affect 
repairs.  Structures  that  are  repaired  using  non-durable  methods  would  im¬ 
plicate  more  frequent  inspections  to  keep  the  structure  above  minimums. 
Poorly  conducted  inspections  would  have  similar  effects. 

The  basic  objective  of  structural  maintenance  is  to  prevent  unwarranted 
degradation  in  the  strength  and  serviceability  of  the  structure.  Structural 
maintenance  is  directed  primarily  at  preventing  excessive  corrosion  through 
the  maintenance  of  coatings  and  cathodic  protection  systems.  Another  objec¬ 
tive  of  structural  maintenance  is  to  preserve  the  integrity  of  the  structure 
through  judicious  renewals  of  steel  and  repairs  to  damaged  elements. 

The  basic  tenant  of  maintenance  is  that  it  must  be  vigilant  and  continu¬ 
ous  if  unpleasant  surprises  in  degradation  of  the  structure  are  to  be  avoided. 
Maintenance  can  be  preventative  or  it  can  be  reactive.  Both  strategies  have 
their  place.  For  example,  preventative  maintenance  can  be  directed  at  corro¬ 
sion  protection  of  critical  structural  details  (CSD)  or  fatigue  damage  to  rudder 
bearings  and  supports.  Reactive  maintenance  can  be  directed  at  repairs  to  ac¬ 
cidental  damage  and  unanticipated  fatigue  damage  to  CSD. 

Maintenance  can  be  continuous  or  it  can  be  periodic.  In  general,  for 
CSD  it  is  periodic  and  is  predicated  upon  the  results  of  annual  or  more  fre¬ 
quent  in-service  inspections  and  special  surveys. 
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Repairs  to  CSD  is  a  difficult,  costly,  and  demanding  task.  There  is  no 
reasonable  consensus  on  what,  how,  and  when  to  repair.  The  general  lack  of 
readily  retrievable  and  analyzable  information  on  repairs  and  maintenance 
frustrates  repair  and  maintenance  tracking.  In-service  experience  is  indicat¬ 
ing  that  many  repairs  do  not  produce  quality  results.  Development  of  engi¬ 
neering  guidelines  to  assist  in  definition  of  quality  repairs  to  marine  struc¬ 
tures  should  be  a  high  priority  research  and  development  objective. 


Organization  Responsibilities 


A  key  consideration  in  achieving  desirable  and  acceptable  quality  in  the 
design,  construction,  and  operation  of  ship  structures  is  organizational.  This 
consideration  address  how  the  organizational  sectors  of  the  industry  can  work 
more  effectively  toward  a  common  set  of  quality  goals. 

Technical  "fixes"  alone  will  not  result  in  the  desired  objectives  of  quality. 
The  responsibilities  and  authorities  for  quality  should  be  clearly  understood  by 
all  of  the  primary  parties  involved  in  the  design,  construction,  and  operation  of 
marine  structures. 

There  are  four  primary  groups  involved  in  the  development  of  quality  in 
marine  groups:  1)  owners  and  operators,  2)  designers  and  constructors,  3) 
classification  and  inspection  groups,  and  4)  regulatory  agencies  (Figure  7.4). 

Of  particular  importance  in  development  of  quality  in  design,  construc¬ 
tion,  and  operations  is  agreement  between  the  principal  sectors  of  the  goals 
and  responsibilities  of  each  sector.  Ideally,  the  responsibilities  for  each  of  the 
four  segments  could  be  organized  as  follows: 

1)  Regulatory  -  responsible  for  definition  and  verification  of  compliance 
with  goals  and  policies  of  quality  in  ship  structures. 

2)  Classification  and  Inspection -  responsible  for  development  of  classifi¬ 
cation  rules  that  will  guide  and  verify  design,  construction,  and  op¬ 
eration  of  quality  ship  structures  that  meet  regulatory  and  owner  re¬ 
quirements,  and  to  assist  with  the  verification  of  compliance  with  the 
classification  rules. 

3)  Design  and  Construction  -  responsible  for  designing  and  producing 
marine  structures  with  appropriate  quality. 

4)  Owners  and  Operators  -  responsible  for  design,  maintenance,  and  op¬ 
eration  of  high  quality  marine  structures  and  the  economic  operation 
of  the  structures. 
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Figure  7.4  -  Organizational  aspects  of  quality 


The  owner  and  operations  segments  play  a  pivotal  role  in  the  organiza¬ 
tion  for  quality.  The  owner  and  operator  are  substantially  responsible  for  the 
quality  of  any  ship.  They  are  responsible  for  establishing  the  system  require¬ 
ments  and  objectives  and  communicating  them  to  the  other  organizations. 

The  owner  /  operator  is  responsible  for  consideration  of  the  relationships  of 
cost  and  performance  and  function. 

Table  7.6  summarizes  primary  organizational  and  technical  responsi¬ 
bilities  of  each  of  the  groups  in  development  of  desirable  levels  of  quality  in  ma¬ 
rine  structures. 

A  very  important  part  of  Figure  7.4  is  the  quality  monitoring  and  com¬ 
munication  system  shown  in  the  center  of  the  illustration.  This  system  should 
have  three  major  components  that  address  through  the  life-cycle  of  a  ship  the 
quality  aspects  of:  1)  operations,  2)  structure,  and  3)  equipment. 

Such  a  system  does  not  exist  at  the  present  time.  Efforts  have  been  initi¬ 
ated  to  develop  the  ship  structure  components  [Schulte-Strathaus,  Bea,  1994] 
and  the  human  -  organization  components  [Mason,  Roberts,  Bea,  1994]  of  such 
a  central  communications  and  information  database  system. 

The  operations  quality  aspects  would  address  not  only  day-to-day  mis¬ 
sion  and  cargo  operations,  but  as  well  human  factor  related  issues  through  the 
life-cycle  of  the  ship.  The  structure  and  equipment  quality  aspects  would  ad¬ 
dress  the  life-cycle  development  of  these  systems  including  design,  construc- 
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tion,  operation,  and  maintenance.  This  would  form  the  information  database 
for  managing  the  life-cycle  quality  aspects  of  the  ship. 


Table  7.6  -  Suggested  organizational  responsibilities  for  quality 

in  ship  structures 


SEGMENT 

RESPONSIBILITIES 

Regulatory 

1)  Develop  and  issue  technical  standards  and  regulations  for 

QA  /  QC  processes. 

2)  Perform,  evaluate,  and  report  results  of  design  and  produc¬ 
tion  reviews  and  inspections. 

3)  Perform,  evaluate,  and  report  results  of  operations  and  main¬ 
tenance  inspections. 

4)  Archive,  review,  analyze  data,  and  disseminate  information 

from  inspections,  repairs,  information  requests,  and  field  op¬ 
erations  reports.  , 

5)  Provide  information  feedback  to  the  responsible  ! 

Classification,  owners  -  operators,  and  builders  -  repair 
yards. 

6)  Help  develop  and  recommend  marine  structure  design,  in¬ 
spection,  and  maintenance  improvements. 

Classification  - 
Inspection 

1)  Assist  in  developing  and  issuing  technical  standards  and 
regulations  for  QA/QC  processes. 

2) Assist  Regulators  and  Operators  in  performing,  evaluating 
and  reporting  the  results  of  design  and  production  reviews 
and  inspections  (surveying). 

3) Assist  Regulators  and  Operators  in  performing  evaluating, 
and  reporting  results  of  operations  and  maintenance  inspec¬ 
tions  (surveying). 

4)  Assist  Regulators  and  Operators  in  archiving,  reviewing, 
analyzing  marine  structure  quality  data,  and  disseminate  in¬ 
formation  from  inspections,  repairs,  information  requests, 
and  field  operations  reports. 

5)  Assist  Regulators  and  Operators  in  providing  information 
feedback  to  the  responsible  Classification,  owners  -  operators, 
and  production  organizations. 

6)  Help  develop  and  recommend  marine  structure  design,  in¬ 
spection,  and  maintenance  improvements. 

123 


Table  7.6  -  Organizational  Responsibilities  For  Quality  in  Marine  Structures 

(continued) 


SEGMENT 

RESPONSIBILITIES 

Operators  - 
Owners 

1)  Operate  and  maintain  ships  within  intended  operating  condi¬ 
tions. 

2)  Develop  approved  standard  QA  /  QC  processes  including  in¬ 
spection  and  maintenance  programs. 

3)  Perform  continuing  inspection  and  maintenance. 

4)  Conduct  special  structural  integrity  and  durability  inspec¬ 
tions,  repairs,  and  modifications. 

5)  Review  and  analyze  data  from  inspections,  repairs,  informa¬ 
tion  requests,  and  field  service  reports. 

6)  Provide  information  feedback  to  the  responsible  regulatory 
and  production  organizations,  and  other  operators. 

7)  Develop  and  recommend  ship  structure  design,  inspection, 
and  maintenance  improvements. 

8)  Perform  continuing  liaison  with  regulatory  and  manufactur¬ 
ing  organizations. 

Designers  & 
Constructors 

1)  Develop  and  design  ships  and  QA/QC  processes  to  meet  or  ex¬ 
ceed  industry,  regulatory,  and  classification  society  stan¬ 
dards  and  requirements. 

2)  Produce  marine  structures  that  meet  or  exceed  industry, 
regulatory,  and  classification  society  standards  and  require¬ 
ments. 

3)  Recommend  preventative  maintenance  and  modification  pro¬ 
grams. 

4)  Recommend  minimum  standard  inspections. 

5)  Recommend  special  inspections,  and  modifications. 

6)  Supply  information  experience  from  production,  inspections, 
and  maintenance  of  marine  structures 

7)  Develop  design  and  maintenance  improvements. 

8)  Perform  continuing  liaison  with  regulatory  and 
owner/operator  organizations. 

9)  Seek  and  employ  design  and  operational  feed-back 
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Summary 

In  most  cases,  a  combination  of  human,  organization,  and  technical 
(system,  software)  modifications  can  be  used  to  improve  the  quality  level  of  a 
ship  structure  to  acceptable  and  desirable  levels.  Table  6.1  lists  some  effective 
human,  organizational,  and  system  improvement  factors  which  can  benefit 
the  quality  of  ship  structures. 

There  are  two  fundamental  approaches  to  improve  the  management  of 
HOE  to  achieve  desirable  and  acceptable  quality  in  ship  structures: 

1)  improve  the  management  of  the  causes  to  reduce  the  incidence  of 

HOE,  and 

2)  improve  the  management  of  the  consequences  to  reduce  the  effects  of 

HOE. 

These  two  approaches  will  be  discussed  in  the  following  parts  of  this 
chapter  as  they  apply  to  QA  /  QC  in  the  design  and  construction  of  ship  struc¬ 
tures.  The  concluding  section  of  this  chapter  suggests  responsibilities  for  im¬ 
provements  in  the  quality  of  ship  structures. 

A  particularly  important  aspect  of  quality  improvement  regards  "team 
building."  Team-work  on  the  front  lines  of  the  design  and  construction  pro¬ 
cesses  can  provide  a  large  measure  of  internal  QA  /  QC  during  these  opera¬ 
tions.  Most  important,  such  team-work  can  be  responsible  for  interrupting  po¬ 
tentially  serious  and  compounding  sequences  of  events  that  have  not  been  an¬ 
ticipated.  It  is  such  teamwork  that  is  largely  responsible  for  "near  misses." 
And,  it  is  for  this  reason  that  there  are  many  more  near  misses  than  there  are 
accidents. 

Recent  experience  with  lack  of  sufficient  quality  in  ship  structures  pro¬ 
vides  ample  evidence  that  it  is  not  the  available  technology  that  provides  the 
primary  impediments  to  realizing  sufficient  quality  in  ship  structures.  It  is  its 
timely,  wise,  and  correct  application  [Bea,  1993]. 

Recent  experience  in  which  the  quality  of  marine  structures  have  been 
compromised  during  the  design  indicate  that  there  can  be  errors  in  any  one  or 
all  of  the  principal  phases.  Generally,  it  is  the  unfavorable  compounding  of 
more  than  one  major  error  that  can  cause  such  a  compromise.  Table  6.2 
summarizes  some  of  the  key  elements  that  have  resulted  in  major  problems 
that  were  traceable  to  design.  Design  processes  that  possess  a  combination  of 
these  factors  would  be  those  that  have  a  high  potential  for  compromises  in  the 
intended  quality  of  the  marine  structure. 

Recent  experience  in  which  the  quality  of  marine  structures  have  been 
compromised  during  the  design  indicate  that  there  can  be  errors  in  any  one  or 
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all  of  the  principal  phases.  Generally,  it  is  the  unfavorable  compounding  of 
more  than  one  major  error  that  can  cause  such  a  compromise. 

Table  6.1  summarizes  some  of  the  key  elements  that  have  resulted  in 
major  problems  that  were  traceable  to  design.  Design  processes  that  possess  a 
combination  of  these  factors  would  be  those  that  have  a  high  potential  for  com¬ 
promises  in  the  intended  quality  of  the  marine  structure.  It  should  be  a  pri¬ 
mary  objective  of  QA  /  QC  design  measures  to  first  prevent  the  occurrence  of 
these  factors  and  second  to  place  checks  in  the  primary  parts  of  the  design  pro¬ 
cess  to  verify  that  they  are  not  developing  into  an  undesirable  compromise  in 
the  quality  of  the  ship  structure.  QA  /  QC  should  be  continuous  throughout  the 
design  process. 

It  would  be  desirable  that  QA  /  QC  be  very  stringent  for  the  error  intoler¬ 
ant  elements.  Also,  it  would  be  desirable  to  configure  or  design  the  element  or 
component  so  that  it  could  be  error  tolerant  for  the  highly  likely  types  of  design, 
construction,  and  /  or  operations  errors.  The  design  of  damage  or  defect  toler¬ 
ant  ("robust")  structures  is  very  desirable.  The  sensitivities  of  various  parts  of 
a  particular  structure  and  various  parts  of  a  particular  design  process  can  be 
studied  beforehand  to  determine  those  parts  that  are  most  error  intolerant. 
Re-design  and  QA  /  QC  efforts  can  thus  be  directed  at  those  elements  and  as¬ 
pects  that  have  the  highest  criticality.  These  same  elements  and  components 
could  become  those  that  are  watched  most  closely  during  the  construction  and 
during  operations.  Inspections  can  be  directed  to  confirm  the  quality  and  con¬ 
dition  of  the  elements  that  are  the  most  important  to  the  integrity  of  the  ship 
structure  and  that  are  the  most  intolerant  of  low  quality  factors. 

Similar  QA  /  QC  procedures  have  been  outlined  for  the  construction  of 
ship  structures.  The  ISO  9000  series  has  been  directed  primarily  at  achieving 
quality  in  manufactured  products.  Qualification  under  the  ISO  9000  series  is 
intended  to  help  bring  a  measure  of  uniformity  and  quality  to  the  construction 
of  marine  structures.  Background  and  application  of  these  guidelines  have 
been  reviewed  in  this  chapter. 

This  chapter  concludes  with  a  suggestion  of  responsibilities  and  ac¬ 
countabilities  for  quality  in  the  design,  construction,  and  operation  of  ship 
structures.  The  roles  of  owners  /  operators,  regulatory  agencies,  classification 
and  inspection  agencies,  and  designers  /  constructors  are  suggested. 

An  important  aspect  for  future  development  is  that  of  a  ship  life-cycle 
quality  information  and  communication  system.  It  will  be  of  critical  impor¬ 
tance  to  integrate  the  human  factors  issues  developed  in  this  chapter  into  such 
a  database,  and  in  addition  the  similar  human  factor  considerations  that  re¬ 
late  to  the  all  important  operations  phase.  The  U.  S.  Coast  Guard  has  initiated 
efforts  in  this  direction  [Sanquist,  et  al.,  1993]. 
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EVALUATION  APPROACHES  & 

QUANTIFICATION 


Introduction 


The  objective  of  this  chapter  is  to  define,  outline  and  discuss  approaches 
to  the  evaluation  and  assessment  of  human  error  effects  on  the  design  and 
construction  of  ship  structures.  The  different  approaches  are  intended  to  al¬ 
low  one  to  study  the  physical  aspects  of  systems  and  procedural  -  human  as¬ 
pects  in  their  present  or  proposed  form,  identify  potential  improvements  and 
potential  critical  flaws,  and  identify  how  best  to  improve  the  quality  of  the  sys¬ 
tems  and  procedures. 


There  are  three  alternative  approaches  that  can  be  used  to  develop  eval¬ 
uations  of  HOE  effects  on  the  quality  of  ship  structures: 

1)  qualitative, 

2)  quantitative,  and 

3)  mixed  qualitative  -  quantitative. 

It  is  important  to  stress  that  these  three  approaches  are  complimentary. 
They  should  be  used  in  different  stages  and  parts  of  the  HOE  evaluation  pro¬ 
cess. 


Qualitative  -  Subjective 

The  first  approach  can  be  identified  as  subjective  or  qualitative  (Figure 
8.1).  This  approach  is  generally  the  starting  point  for  the  evaluation  and  as¬ 
sessment  processes.  In  many  cases,  this  approach  can  prove  to  be  sufficient  to 
achieve  and  assure  the  desired  level  of  quality  in  the  ship  structure.  This  ap¬ 
proach  uses  'soft'  linguistic  variables  to  describe  systems  and  procedures. 
Integration  of  the  evaluations  is  subjective.  This  approach  may  or  may  not  in- 
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volve  detailed  structuring  of  systems  and  the  EDA  (Events,  Decisions,  Actions) 
that  may  influence  the  quality  of  these  systems. 


Quantitative  -  Objective 

The  second  approach  can  be 
termed  objective  or  quantitative. 

This  approach  is  generally  utilized 
for  higher  consequence  systems  and 
processes  in  which  undesirable  lev¬ 
els  of  quality  have  potentially  severe 
ramifications.  This  approach  gen¬ 
erally  examines  in  much  greater  de¬ 
tail  the  systems  and  the  EDA  that 
influence  the  quality  of  these  sys¬ 
tems. 


This  approach  utilizes  nu¬ 
merical  models  to  provide  quantita¬ 
tive  indications  of  what  the  effects  . 

are  of  changes  in  the  quality  man-  Figure  8.1  -  Evaluation  approaches 

agement  systems  and  procedures. 

This  approach  generally  focuses  on 

the  critical  aspects  of  systems  that  have  been  evaluated  using  the  more  general 
qualitative  methods.  This  approach  uses  hard  numerical  variables  to  describe 
systems  and  procedures.  The  analytical  models  provide  for  integration  of  the 
effects  and  variables. 

The  quantitative  approach  has  traditionally  been  identified  as  the  PRA 
(Probabilistic  Risk  Analysis)  or  QRA  (Quantified  Risk  Analysis)  approach.  It 
has  been  highly  developed  and  applied  to  a  wide  variety  of  types  of  engineered 
systems.  It  has  seen  particular  development  and  application  in  nuclear  power 
plants.  However,  it  has  been  applied  to  marine  systems  such  as  offshore  plat¬ 
forms  and  pipelines. 


QUALITATIVE 
'soft'  -  linguistic  variables 
'subjective'  integration 

I _ I _ 


High 


- QUANTITATIVE - 

'hard'  -  numerical  variables 
analytical  Integration 

_ I _ 


MIXED  QUALITATIVE  &  QUANTITATIVE 
linguistic  variables  translated  to  numerical  variables 
analytical  integration 


Hlsh 


Mixed  Qualitative  -  Quantitative 

The  third  approach  is  a  mixed  qualitative  and  quantitative  process. 
Linguistic  variables  are  translated  to  numerical  variables.  A  mathematical 
process  is  provided  to  perform  analytical  integration  of  the  effects  and  vari¬ 
ables.  In  one  form,  this  approach  has  been  based  on  the  mathematics  of 
"Fuzzy  Sets"  [Zimmermann,  1991].  Moore  and  Bea  (1993b)  utilized  such  an  ap¬ 
proach  in  development  of  HESIM  (Human  Error  Safety  Index  Method)  to  assist 
in  the  quantitative  evaluations  of  HOE  in  operations  of  marine  systems  (ships, 
offshore  platforms).  Gale,  et  al.  (1994)  utilized  a  similar  ranking  -  index 
method  to  evaluate  the  potentials  for  fires  and  explosions  onboard  offshore  plat¬ 
forms.  This  method  has  been  identified  as  FLAIM  (Fire  and  Life  safety 
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Assessment  Indexing  Method).  The  HESIM  and  FLAIM  approaches  are 
summarized  in  Appendix  C. 

This  approach  has  been  termed  "soft  computing".  The  rigid  structure  of 
formal  probability  theory  and  analytical  quantification  are  surrendered  in  fa¬ 
vor  of  a  "more  flexible"  structure.  Expert  systems  (knowledge  base  systems) 
and  neural  networks  have  been  combined  with  the  theory  of  Fuzzy  Sets  to  pro¬ 
vide  an  evolving  approach  to  the  evaluation  of  systems  in  which  there  is  either 
no  need  or  it  is  not  desirable  to  follow  the  computationally  more  demanding 
"hard  computing"  approaches.  This  approach  is  being  applied  to  a  wide  vari¬ 
ety  of  systems  (Brown,  et  al.,  1985).  This  approach  is  in  a  state  of  development 
and  evolution  in  a  wide  variety  of  marine  and  non-marine  sectors. 

Fundamentally  this  third  approach  can  be  developed  and  applied  in  the 
context  of  the  first  two  approaches  discussed  here  (Moore,  Bea,  1993b;  Gale,  et 
al.,  1994],  The  analysts  must  be  willing  to  surrender  rigid  interpretations  ap¬ 
plied  to  the  numerical  quantifications  and  analyses.  Conventional  probability 
theory  and  mathematics  can  be  used  to  provide  the  necessary  quantifications  if 
one  will  adopt  a  "Bayesian"  philosophy  in  which  the  probabilistic  expressions 
are  interpreted  to  be  expressions  of  the  degree  of  belief  [Orisamolu,  Bea,  1993]. 

Indexing  methods  require  calibration  to  develop  results  that  are  consis¬ 
tent  with  those  developed  from  quantitative  PRA  or  QRA  methods.  As  reliable 
data  is  developed,  analyzed,  and  integrated  into  the  evaluations,  the  degree  of 
subjectivity  can  be  decreased. 


Sources  of  Quantifications 


A  detailed  study  of  the  present  databases  on  marine  systems  in  which 
there  has  been  unacceptable  levels  of  quality  indicates  that  they  are  very  defi¬ 
cient  in  their  ability  to  accurately  define  the  key  initiating,  contributing,  and 
compounding  factors  that  lead  to  compromises  of  operating  quality. 

There  has  not  been  any  common  classification  or  definition  of  causes  of 
marine  accidents.  There  has  been  a  dearth  of  well  trained  investigators. 
Investigations  generally  have  focused  on  the  immediate  causes  of  quality  prob¬ 
lems,  not  the  underlying  factors  that  lead  to  these  causes.  Investigations  have 
frequently  been  focused  on  placing  blame  rather  than  on  determining  the  un¬ 
derlying,  direct,  and  contributing  factors.  Organizational  factors  have  largely 
been  ignored.  Due  to  legal  action  concerns,  there  is  not  a  single  generally 
available  database  that  addresses  violations  or  intentional  circumvention  re¬ 
lated  causes  of  low  quality  in  marine  systems. 

There  is  not  a  single  available  database  that  addresses  the  very  impor¬ 
tant  near  misses.  Inclusion  of  such  information  in  operating  databases  could 
help  indicate  how  design,  construction,  and  operating  personnel  are  able  to  in¬ 
terrupt  potentially  catastrophic  compounding  sequences  of  problems  and 
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bring  the  system  back  to  a  safe  condition.  If  developed  and  employed  on  "real 
time"  basis,  such  information  could  provide  very  important  early  warnings  of 
developing  problems  with  design,  construction,  and  operating  systems. 

In  all  portions  of  the  quality  improvement  process,  data  on  HOE  causes 
and  effects  is  sadly  lacking.  There  has  not  been  a  common  vocabulary  to  de¬ 
scribe  direct,  contributing,  and  compounding  causes.  There  is  little  definitive 
information  on  the  rates  and  effects  of  human  errors  and  their  interactions 
with  organizations,  environments,  hardware,  and  software.  There  is  even 
less  definitive  information  on  how  contributing  factors  influence  the  rates  of 
human  errors. 

Given  the  requirement  to  improve  the  quality  of  marine  structures  and  a 
need  to  implement  alternative  QA  /  QC  strategies  in  design,  construction,  and 
operation  of  marine  structures,  there  is  a  pressing  need  to  begin  gathering, 
archiving  and  analyzing  high  quality  data  on  HOE  incidence,  causes,  and  ef¬ 
fects.  Some  organizations  have  begun  such  developments.  These  efforts  need 
to  be  encouraged  and  extended. 


Sources  of  Data 

Given  the  dearth  of  reliable  quantitative  information  that  is  presently 
available  on  HOE  in  design  and  construction  of  marine  systems,  the  analysts 
are  left  with  four  primary  sources  of  information  to  perform  evaluations: 

1)  judgment, 

2)  simulations, 

3)  field,  laboratory,  and  office  experiments,  and 

4)  process  reviews,  accident  and  near-miss  investigations. 

All  of  these  sources  represent  viable  means  of  providing  quantitative 
evaluations.  It  is  rare  to  find  a  structured  and  consistent  use  of  these  four  ap¬ 
proaches  in  HOE  assessments. 

Simulations  in  the  laboratory,  office,  or  field  can  provide  significant  in¬ 
sights  into  how  and  when  errors  are  developed.  The  use  of  simulators  is  an 
important  way  to  "train-out"  error  promoting  tendencies.  Simulations  and 
simulators  can  not  replicate  the  stresses  and  pressures  of  real  situations 
(recovery  is  always  possible  and  the  consequences  are  rarely  fatal). 

Field  and  office  experiments  are  an  important  way  to  gather  informa¬ 
tion  on  errors.  They  represent  samplings  of  the  more  general  situation  being 
studied,  and  must  be  carefully  designed  to  avoid  bias  in  the  results. 

Process  reviews,  accident  and  near-miss  investigations  also  are  an  im¬ 
portant  source  of  information  that  if  carefully  and  insightfully  done  can  pro¬ 
vide  important  data  on  errors  in  situations  in  which  stresses  and  pressures 
are  high.  Legal  and  punitive  threats  often  provide  significant  impediments  to 
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identifying  the  contributing,  initiating,  and  compounding  causes  of  these  er¬ 
rors.  Trained  investigators  are  a  "must"  in  performing  such  investigations. 
The  use  of  anonymous  accident  and  near-miss  reporting  systems  have  been 
reasonably  successful  in  developing  information  on  accidents  and  near- 
misses. 

Judgment  is  perhaps  one  of  the  most  important  sources  of  quantitative 
information.  Judgment  should  not  be  thought  of  as  the  opposite  of  rational 
thought.  Qualified  judgment  is  based  upon  both  the  accumulation  of  experi¬ 
ence  and  a  mental  synthesis  of  factors  which  allow  the  evaluator  to  assess  the 
situation  and  produce  results.  Judgment  has  a  primary  and  rightful  place  in 
making  quantitative  evaluations  because  available  data  is  always  deficient  for 
the  evaluation  of  a  particular  situation. 
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Figure  8.2  -  Qualitative  &  quantitative  evaluations 


Given  the  present  situation  regarding  definitive  quantitative  informa¬ 
tion  on  which  to  base  objective  quantitative  evaluations,  one  must  rely  primar¬ 
ily  on  judgment  (Figure  8.2).  As  adequately  structured  databases  are  devel¬ 
oped  and  implemented  for  HOE  evaluations,  then  in  the  future,  more  reliance 
can  be  placed  on  objective  data  and  evaluations  based  on  a  combination  of  data 
and  judgment.  It  is  not  likely  in  the  near-term,  that  sole  reliance  can  be 
placed  on  objective  data  sources  to  provide  quantitative  evaluations. 

Adequately  qualified  and  unbiased  judgment  will  be  essential  to  develop  mean¬ 
ingful  results. 
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Judgment  can  be  influenced  by  a  variety  of  types  of  "bias"  that  are  identi¬ 
fied  in  Table  8.1.  These  biases  distort  the  perception  of  reality.  These  biases  af¬ 
fect  the  way  one  interprets  the  past,  predicts  the  future,  and  makes  choices  in 
the  present.  These  biases  or  heuristics  (rules  of  thumb)  define  an  evaluator's 
cognitive  structure  and  dictates  the  ways  things  are  perceived. 

Table  8.1  -  Types  of  judgment  bias  and  its  influences 


1 

Influence  on  Judgment 

•  Availability 

•  Probability  of  easily  recalled  events  are  dis¬ 
torted 

•  Selective  perception 

•  Expectations  distort  observations  of  variables 
relevant  to  a  strategy 

•  Illusory  correlation 

•  Encourages  the  belief  that  unrelated  variables 
are  correlated 

•  Conservatism 

•  Failure  to  sufficiently  revise  forecasts  based  on 
new  information 

•  Small  samples 

•  Over  estimation  of  the  degree  to  which  small 
samples  are  representative  of  a  population 

•  Wishful  thinking 

•  Probability  of  desired  outcomes  judged  to  be 
inappropriately  high 

•  Illusion  of  control 

•  Over  estimation  of  the  personal  control  over 
outcomes 

•  Logical  construction 

•  Logical  construction  of  events  which  cannot  be 
accurately  recalled 

•  Hindsight 

•  Over  estimation  of  the  predictability  of  past 
events 

Quantified  Data  on  Task  Reliability 

Williams  [1988],  Swain  and  Guttman  [1983],  and  Edmondson  [1993]  have 
published  useful  summaries  that  provide  quantified  information  on  human 
errors.  This  information  has  been  developed  primarily  for  evaluation  of  HOE 
effects  in  the  operations  of  nuclear  power  plants.  The  information  was  devel¬ 
oped  primarily  from  experiments  and  simulations  concerning  general  cate¬ 
gories  of  human  task  reliability. 

Results  from  the  experiments  performed  by  Swain  and  Guttman  [1983] 
are  summarized  in  Figure  8.3.  Generic  human  error  rates  are  assigned  to 
general  types  of  tasks  performed  under  general  types  of  influences  and  imped¬ 
iments.  The  range  of  error  probabilities  are  intended  to  be  associated  with  the 
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potential  ranges  in  the  influences  and  impediments.  If  the  influences  and 
impediments  are  intense,  then  the  error  probabilities  will  be  toward  the  upper 
portion  of  the  range  and  vice  versa. 


These  ranges  are  intended  to  g 
define  the  mean  probabilities  of  a 
significant  or  major  human  error  “ 

per  task  performed  by  the  human. 

The  one  Standard  Deviation  ranges 
associated  with  generic  average 
rates  of  human  errors  have  been  ££ 

published  by  Williams  [19888].  The 
results  are  summarized  in  Figure  <2 
8.4.  The  ranges  imply  general  task  go 
performance  Coefficients  of  £ 

Variation  (ratio  of  Standard  2 

Deviation  to  the  Mean)  in  the  range  5 
of  50  %  to  in  excess  of  100  %. 


new  or  rarely  performed  task 
extreme  stress,  very  little  time 
severe  distractions  &  imparements 

—  10' 

in-2 

highly  complex  task 
considerable  stress,  little  time 
moderate  distractions  &  imparements 

_  m-3 

complex  or  unfamililar  task 
moderate  stress,  moderate  time 
little  distractions  &  imparements 

difficult  but  familiar  task 
little  stress,  sufficient  time 
very  little  distractions  or  imparements 

- 10« 

simple,  frequently,  skilled  task 
no  stress,  no  time  limits 
no  distractions  or  imparements 

It  is  important  to  note  that  the 
severity  of  the  error  is  not  captured 
in  any  of  the  available  quantitative 
information.  Errors  are  either  ma¬ 
jor  and  significant  or  minor  or  not 
significant.  It  is  has  been  noted  that 
minor  or  not  significant  errors  are 
generally  caught  by  the  individual  or 
individuals  and  corrected;  hence 
their  lack  of  importance  in  the  as¬ 
sessment  of  human  reliability 
[Swain,  Guttman,  1988;  Dougherty, 
Frangola,  1988]. 

Information  also  has  been  de¬ 
veloped  on  human  error  perfor¬ 
mance  shaping  factors  [Williams, 
1988;  Swain  &  Guttman,  1983]. 

These  performance  shaping  factors 
are  influences  that  can  result  in  an 
increase  in  the  mean  rates  of  hu¬ 
man  errors.  Simulations,  experi¬ 
ments,  and  information  gathered  on 
plant  operations  provided  this  in¬ 
formation  [Dougherty,  Frangola, 
1988].  The  results  are  summarized 
in  Table  8.2. 


Figure  8.3  -  Generic  human  task  error 
rates 
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Figure  8.4  -  Nominal  human  task  per¬ 
formance  unreliability  (o  -  Mean;  •  -  one 
Standard  Deviation) 
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These  performance  shaping 
factors  are  extremely  useful  in  help¬ 
ing  develop  quantification  of  the  poten¬ 
tial  effects  of  changes  in  organization, 
hardware,  procedures,  and  environ¬ 
ments  on  the  base  rates  of  human  er¬ 
rors. 

Information  relating  to  engi¬ 
neering  structure  design  errors  have 
been  developed  by  Melchers  and 
Stewart  [1980-1990].  This  is  the  only 
such  information  that  could  be  located 
during  this  project.  Based  on  surveys 
of  Australian  structure  design  firms, 
they  developed  general  information  on 
the  average  of  rates  of  calculation  er¬ 
rors  and  on  the  average  rates  of  errors 
associated  with  different  types  of  en¬ 
gineering  analyses  or  assessments. 

This  information  is  summa¬ 
rized  in  Table  8.3  and  Figure  8.5. 
Structure  analysis  calculation  error 
rates  depend  on  the  number  of  se¬ 
quential  calculations  involved  in  a 
given  analysis.  The  calculation  error 
rates  are  not  proportional  to  the  num¬ 
ber  of  calculations.  Analyses  involv¬ 
ing  loading  combinations  and  loading 
reduction  factors  account  for  the 
largest  rates  of  structural  design  er¬ 
rors.  This  agrees  with  the  author's 
personal  structural  design  experi¬ 
ence.  It  certainly  indicates  where  de¬ 
sign  checking  might  be  most  effective 
at  catching  major  errors. 


Table  8.2  -  Performance  shaping 
factors 


Error  Producing  Condition 

Multi 

plier 

Unfamiliarity 

17 

Time  shortage 

11 

Low  signal  to  noise  ratio 

10 

Features  over-ride  allowed 

9 

Spatial  /  functional  incompatibility 

8 

Design  model  mismatch 

8 

Irreversible  action 

8 

Information  overload 

6 

Technigue  unlearning 

6 

Knowledge  transfer 

5.5 

Performance  ambiguity 

5 

Misperception  of  risk 

4 

Poor  feedback 

4 

Inexperience 

3 

Communication  filtering 

3 

Inadeguate  checking 

3 

Objectives  conflicts 

3 

Limited  diversity 

2.5 

Educational  mismatch 

2 

Dangerous  incentives 

2 

Lack  of  exercise 

1.8 

Unreliable  instruments 

1.6 

Absolute  judgments  reguired 

1.6 

Unclear  allocation  of  functions 

1.6 

Lack  of  progress  tracking 

1.4 

Limited  physical  capabilities 

1.4 

Emotional  stress 

1.3 

Sleep  cycle  disruption 

1.2 
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Number  of  Calculations 


Figure  8.5  -  Structural  calculations 
error  rates 


Table  8.3  -  Structural  engineering 
concept  error  rates 


Error 

Rate 

Code  interpretation 

0.0150 

Ranking 

0.0135 

Table  look-up 

0.0126 

Loading  coefficients 

0.1333 

Loading  directions 

0.1000 

Reduction  factors 

0.8000 

Loading  combinations 

0.4167 

Analyses  of  Systems  and  Procedures 


Figure  8.6  outlines  a  gen¬ 
eral  approach  to  develop  analyses 
of  ship  structure  design,  con¬ 
struction,  and  operation  systems. 


Step  #1:  PERFORM  A  SYSTEM  ANALYSIS 

define  system  hardware,  software,  environments, 
_ organizations  and  Individuals _ 


Step  #1  is  to  perform  an 
analysis  of  the  system;  to  define 
the  system  hardware,  software, 
the  environments  (internal,  ex¬ 
ternal)  in  which  it  must  operate, 
the  organizations  that  can  exert 
important  influences  on  the  sys¬ 
tem,  and  the  individuals  (teams, 
operators)  that  can  interface  with 
the  system.  This  step  should  re¬ 
sult  in  logical  "diagrams"  of  the 
physical  components  of  the  sys¬ 
tem. 


Step  #2  is  to  perform  a  pro¬ 
cess  analysis.  The  process  analy¬ 
sis  is  intended  to  define  how 
things  work;  the  procedures, 
premises,  and  interfaces  that  can 
be  important  to  the  reliability  of 
the  system. 


Step  #2:  PERFORM  A  PROCESS  ANALYSIS 

define  how  things  are  done:  how  the  system  hardware, 
software,  environments,  organizations,  and  Individuals 
work 


Step  #3:  PERFORM  ANALYSES  OF  THE  SYSTEM  & 
PROCESS  AS  PRESENTLY  CONFIGURED 

define  the  likelihood  and  "quality"  achieved 


Step  #4:  PERFORM  ANALYSES  OF  THE 
RECONFIGURED  SYSTEM  &  PROCESS 

define  the  likelihood  and  additional"quallty" 
that  could  be  achieved _ 


Figure  8.6  -  Approach  to  evaluations  of  sys¬ 
tems  and  procedures 
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Step  #3  is  to  perform  analyses  of  the  system  and  its  processes  as  it  is 
presently  configured.  As  previously  discussed,  these  analyses  can  be  qualita¬ 
tive,  quantitative,  and  mixed.  The  objective  of  these  analyses  is  to  provide  in¬ 
sights  into  the  levels  of  quality  that  can  be  achieved  and  into  the  likelihood  of 
achieving  these  levels. 

Step  #4  is  to  perform  analyses  of  the  re-configured  system  and  its  pro¬ 
cesses.  A  variety  of  options  and  alternatives  need  to  be  defined.  The  objective  of 
this  step  is  to  understand  how  effective  improvements  in  the  system  and  pro¬ 
cesses  might  be.  This  step  will  entail  evaluations  of  the  "costs"  and  "benefits" 
of  these  options  and  alternatives  and  an  assessment  of  the  "best"  alternative  to 
achieve  the  desirable  and  acceptable  level  of  quality  in  the  system  and  its  pro¬ 
cesses. 


Qualitative  Approaches 


The  qualitative  approaches  generally  focus  on  general  categories  of  op¬ 
erations  performance.  General  good  practice  guidelines  are  given.  General 
rather  than  detailed  studies  of  the  systems  are  developed.  The  focus  is  on  per¬ 
formance  rather  than  processes. 

In  the  qualitative  approach  developed  during  this  project,  specific  ma¬ 
rine  systems  can  be  evaluated  based  on  "scales"  and  attributes  developed  to  re¬ 
flect  the  potentials  for  good  or  bad  operating  performance.  Figure  8.7  illus¬ 
trates  a  qualitative  evaluation  instrument  for  design  of  ship  structures. 
Application  of  the  design  instrument  will  be  illustrated  in  the  next  chapter  of 
this  report. 

HazOp  (Hazard  Operability)  procedures  have  been  employed  in  evaluat¬ 
ing  a  wide  variety  of  marine  systems.  Qualitative  approaches  have  also  been 
identified  as  Failure  Mode  and  Effect  Analysis  (FMEA).  This  approach  fo¬ 
cuses  on  both  functional  analysis  and  the  evaluation  of  potential  consequences. 
The  objective  of  these  analyses  is  to  identify  the  combination  of  events  that 
could  lead  to  different  degrees  of  quality  and  characterize  the  effects  of  these 
different  degrees  of  quality  in  terms  of  their  potential  consequences.  The 
method  is  structured  only  in  how  it  is  performed.  It  focuses  on  a  logical  analy¬ 
sis  of  the  system  and  its  functions.  It  does  not  rely  on  quantitative  or  probabil¬ 
ity  based  methods. 

FMEA  attempts  to  assess  the  criticality  of  a  component  or  function  of  a 
system  on  the  bias  of  the  minimum  number  of  "failures"  in  the  "failure 
modes"  involving  the  component  or  function.  If  a  failure  mode  (sequence  of 
events  leading  to  low  quality)  is  constituted  of  one  component  or  function  fail¬ 
ure,  this  component  or  function  is  indicated  to  be  "criticality  #1,"  and  so  forth. 
In  this  manner,  the  most  critical  components  and  functions  in  a  system  are 
identified.  These  components  and  functions  then  become  the  primary  options 
for  QA  /  QC  measures. 
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The  FMEA  approach  is 
relatively  simple  to  understand  and 
apply.  It  avoids  the  details  and 
demands  of  quantitative  analyses. 
FMEA  does  not  generally  give  a  satis¬ 
factory  indication  of  priorities  be¬ 
cause  it  does  not  identify  the  likeli¬ 
hood  of  occurrence  which  may  differ 
greatly  among  components  and  func¬ 
tions.  Also,  it  fails  to  account  explic¬ 
itly  for  couplings  and  dependencies; 
common  causes  and  events  are  not 
identified.  FMEA  generally  under 
estimates  the  true  criticality  of  mod¬ 
erate  events  or  developments  of  high 
probability  whose  combination  with 
several  other  events  or  developments 
of  the  same  time  leads  to  system 
"failure."  Evaluation  of  past  quality 
problems  in  design  and  construction 
of  marine  structures  indicates  that 
such  combinations  are  generally  re¬ 
sponsible  for  "failures." 

Yet,  with  all  of  these  disadvan¬ 
tages,  the  qualitative  methods  have 
much  to  offer.  They  should  be 
thought  of  as  providing  a  framework 
for  thought,  debate,  analysis,  and 
communication.  They  should  be 
thought  of  as  providing  a  complimen¬ 
tary  approach  to  the  detailed  quanti¬ 
tative  approaches. 
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Figure  8.7  -  Structure  design  quality 
profiling  instrument 


The  qualitative  methods  can  be 

extremely  useful  in  helping  identify  important  issues  and  considerations  that 
later,  if  warranted  and  useful,  can  become  the  primary  focus  of  detailed 
quantitative  approaches.  If  one  attempts  to  perform  detailed  quantitative 
evaluations  of  all  aspects  of  a  system,  it  quickly  gets  out  of  hand;  one  becomes 
lost  in  the  trees  before  the  forest  is  understood  or  appreciated. 
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Quantitative  Evaluations 


The  second  approach  is  oriented  to  detailing  how  the  operating  system 
works  or  might  not  work  and  quantifying  the  likelihood  associated  with  per¬ 
formance.  This  approach  is  very  system  specific.  Evaluation  of  the  hardware 
and  squishyware  (human,  organization,  procedure)  [Wenk,  1986]  aspects  also 
are  very  specific  and  detailed.  This  approach  is  generally  very  structured  in 
that  probabilistic  Event  Tree,  Fault  Tree,  and  Influence  Diagram  type  analyses 
are  used.  Such  analyses  are  frequently  identified  as  Probabilistic  Risk 
Analyses  (PRA)  or  Quantified  Risk  Analyses  (QRA). 

PRA  /  QRA  analyses  have  been  used  in  a  wide  variety  of  industrial  set¬ 
tings  including  operations  of  nuclear  power  plants,  commercial  aircraft,  liq¬ 
uefied  natural  gas  export  and  import  ports,  oil  refineries,  and  offshore  plat¬ 
forms.  This  approach  is  presently  being  used  in  many  of  the  Safety  Case  stud¬ 
ies  being  performed  by  platform  operators  in  the  U.  K.  Sector  of  the  North  Sea. 
This  approach  has  been  a  historic  basis  of  the  Norwegian  offshore  safety  man¬ 
agement  system. 

As  discussed  at  the  conclusion  of  the  previous  section,  it  is  important  to 
realize  that  the  qualitative  and  quantitative  approaches  are  complimentary. 
They  have  the  same  objective:  detecting  potentially  critical  flaws  in  design, 
construction,  and  operations  of  ship  structures,  and  then  defining  measures  to 
rectify  these  critical  flaws  before  acceptable  quality  is  compromised. 

The  quantitative  approach  is  focused  at  characterizing  the  details  of  how 
systems  are  operated  while  the  qualitative  approach  is  focused  at  characteriz¬ 
ing  the  general  performance  quality  of  a  system.  The  results  from  both  of  the 
approaches  depend  greatly  on  the  individuals  that  perform  the  evaluations  and 
the  procedures  and  processes  that  they  utilize.  Experience  with  the  particular 
system  and  operations  should  be  the  primary  requirement  for  those  that  lead 
and  structure  such  evaluations. 


Strategy  for  Analyses 

It  can  be  desirable  to  perform  quantitative  evaluations  of  marine  sys¬ 
tems  to  investigate  the  need  for  and  effectiveness  of  quality  improvements.  A 
full-scope,  life-cycle  QA  /  QC  quantitative  evaluation  should  be  conducted  in 
"stages"  that  represent  an  increasing  degree  of  detail  and  complexity  [Bea,  et 
al.,  1992].  These  are  summarized  in  Figure  8.8. 
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Figure  8.8  -  Screening  analysis  approach  to  focus  on  most  important  aspects 


Four  stages  are  suggested  that  are  intended  to  help  progressively 
"screen"  minor  from  major  potential  events  that  can  lead  to  significant  com¬ 
promises  in  quality  of  marine  structures.  These  stages  are: 

1)  coarse  qualitative, 

2)  detailed  qualitative, 

3)  coarse  quantitative,  and 

4)  detailed  quantitative. 

The  first  step  in  this  approach  is  to  detail  the  physical  characteristics  of 
the  particular  design,  construction,  and  operation  "system"  that  is  being  eval¬ 
uated.  Next  the  organizational  procedural,  hardware,  and  environments  that 
potentially  influence  the  interfacing  of  individuals  with  the  system  must  be  de¬ 
tailed. 


The  next  step  is  to  compile  a  comprehensive  list  and  structure  the  devel¬ 
opment  of  potential  life-cycle,  full-scope  initiating  events  based  on  a  particular 
structure  and  non-structure  marine  system.  This  step  requires  detailed  in¬ 
formation  on  the  proposed  system:  how  it  will  be  designed,  constructed,  oper¬ 
ated,  and  maintained.  This  step  also  requires  personnel  that  are  experienced 
in  each  of  these  activities.  Most  importantly,  experienced  personnel  with  "per¬ 
verse  imaginations"  are  needed  to  help  perform  the  analyses  of  what  and  how 
things  can  go  wrong  and  the  consequences.  To  explicitly  address  considera¬ 
tions  of  HOE,  the  interactions  of  individuals,  organizations,  hardware,  soft¬ 
ware,  and  environments  must  be  interwoven  with  the  physical  and  procedural 
aspects  of  a  given  marine  structure  (system). 

Many  engineers  are  taught  and  disciplined  to  think  of  how  things  can 
and  will  go  right.  Experience  frequently  is  the  teacher  of  how  things  can  go 
wrong  and  the  associated  consequences.  Throughout  the  entire  process,  to 
provide  direction  and  management  of  the  evaluations  and  analyses  it  is  much 
better  to  have  engineers  that  are  experienced  in  actually  performing  the  ma¬ 
rine  activities  and  operations  and  that  are  acquainted  with  reliability  analyses 
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than  engineers  that  are  experienced  in  performing  reliability  analyses  and 
that  are  only  familiar  with  marine  systems. 

The  initial  qualitative  stages  (#1  and  #2)  are  very  important.  These 
stages  not  only  filter  out  very  important  hazards  from  those  that  are  not  so  im¬ 
portant,  but  as  well  result  in  the  basic  structuring  of  the  overall  assessment 
process.  These  stages  are  most  familiar  to  topsides  engineers  in  that  the  anal¬ 
yses  typically  follow  the  precepts  of  FMEA.  Such  studies  have  been  and  con¬ 
tinue  to  be  used  extensively  offshore.  They  have  found  wide  applications  in  re¬ 
lated  onshore  studies  such  as  those  performed  for  hydrocarbon  refineries. 

The  next  step  is  to  define  the  consequences  that  are  of  concern.  Based  on 
the  definition  of  quality  developed  in  this  report,  these  consequences  fall  into 
four  categories:  1)  insufficient  serviceability,  2)  inadequate  safety,  3)  inade¬ 
quate  durability,  and  4)  lack  of  compatibility. 

The  severity  of  the  consequences  can  be  measured  in  a  variety  of  ways. 
For  the  foregoing  categories,  for  ship  structures  example  measurements  in¬ 
clude:  1)  days  of  ship  unavailability  and  associated  costs  due  to  the  ship  struc¬ 
ture,  2)  casualty  rate  and  costs  of  "failures",  3)  fracture  rate  and  costs  of  re¬ 
pairs,  and  4)  unanticipated  costs,  environmental  impacts  (e.g.  in  barrels  of 
cargo  spilled).  Both  quantitative  scales  and  associated  qualitative  scales  (e.g. 
low,  moderate,  high)  can  be  established  to  evaluate  these  consequences.  The 
qualitative  scales  are  calibrated  with  the  quantitative  scales  so  that  consistency 
is  maintained  in  evaluating  the  consequences. 

The  importance  of  initiating  events  should  be  judged  in  terms  of  their 
risks.  Risks  are  defined  as  the  product  /  result  of  the  likelihood  of  the  initiating 
event  and  the  associated  accident  path  and  the  consequences  associated  with 
the  initiating  event.  Both  quantitative  and  qualitative  probability  weighted  risk 
scales  for  each  of  the  categories  of  consequences  should  developed  and  cali¬ 
brated  to  produce  consistent  evaluations. 

At  the  present  time,  there  are  several  major  problems  associated  with 
performing  quantitative  analyses.  First,  given  the  present  dearth  of  reliable 
data  on  HOE  causes  and  effects,  expert  judgment  must  be  relied  upon  to  pro¬ 
vide  the  necessary  quantifications.  Second,  there  is  no  generally  accepted  way 
to  integrate  considerations  of  HOE  into  the  analyses.  There  are  no  established 
procedures  and  guidelines  for  the  performance  of  such  analyses.  Third,  per¬ 
forming  the  quantitative  analyses  requires  a  high  degree  of  expertise  in  how  to 
perform  such  analyses  and  a  perceptive  understanding  of  the  details  of  the 
marine  system  being  evaluated.  There  are  few  analysts  that  have  such  quali¬ 
fications. 

Until  these  problems  can  be  overcome,  the  quantitative  results  should  be 
regarded  with  caution.  It  is  the  process  of  evaluation  and  assessment  of  the 
details  of  the  system  that  can  provide  the  greatest  benefits  to  indicate  how  best 
to  improve  the  quality  of  the  system.  The  quantitative  analyses  should  not  be 
allowed  to  provide  paralysis  in  improving  the  quality  of  marine  structures. 
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Analytical  Approaches 

Three  techniques  can  be  used  to  perform  quantitative  analyses  of  sys¬ 
tems  and  their  functional  aspects:  Fault  Tree  Analyses  (FT A),  Event  Tree 
Analyses  (ETA),  and  Influence  Diagram  Analyses  (IDA)  [Orisamolu,  Bea, 
1993]. 

Fault  Tree  Analyses.  FTA  start  with  the  event  of  interest  (e.g.  failure 
perform  fatigue  analyses).  Inductive  logic  of  the  system  and  its  functions  is 
determine  the  causes  of  the  event  (e.g.  due  to  organization  ?).  This  approach 

implies  sequential  identification  of  the  unions  (Event  A  and  Event  B,  A  n  B)  or 
intersections  (Event  A  or  Event  B,  A  u  B)  of  events  that  describe  each  binary 
variable  down  to  the  point  where  all  inputs  are  basic  events  that  can  not  rea¬ 
sonably  be  analyzed  any  further. 

If  two  events  A  and  B  are  mutually  exclusive ,  then: 

P[A  uB]  =  P[A]  +  P[B]  (8.1) 

where  P[  ]  is  the  likelihood  or  probability  of  the  event  indicated  in  the  brackets. 
Mutually  exclusive  events  have  no  sample  points  in  common.  The  probability 
of  the  unions  of  a  series  of  mutually  exclusive  events  is  equal  to  the  sum  of  the 
probabilities  of  the  events. 

If  two  events  A  and  B  are  statistically  dependent: 

P[A  u  B]  =  P[A]  +  P[B]  -  P[A  n  B]  (8.2) 

The  probability  of  B  given  that  A  has  occurred  is  termed  the  conditional 
probability  of  B  given  A  and  is  denoted  P[B  I  A].  It  can  be  defined  as: 


P[B  1  A]  =  P[A  n  B]  \  P[A] 

(8.3) 

P[A  1 B]  =  P[A  n  B]  \  P[B] 

(8.4) 

The  event  B  is  said  to  be  independent  of  A  if: 

P[B  1  A]  =  P[B] 

(8.5) 

Thus  for  two  independent  events,  A  and  B: 

P[A  n  B]  =  P[A]  P[B] 

(8.6) 
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The  occurrence  of  the  event  A  does  not  influence  the  probability  of  the 
event  B.  The  intersection  of  a  series  of  independent  events  is  equal  to  the  prod¬ 
uct  of  the  individual  probabilities. 

If  A  and  B  are  not  mutually  exclusive,  then: 

P[A  n  B]  =  P[A  I  B]  P[B]  =  P[B  I  A]  P[A]  (8.7) 

With  these  basic  relationships,  one  can  perform  FTA.  These  same  rela¬ 
tionships  will  be  those  that  are  used  to  perform  ETA. 

FTA  can  be  organized  into  the  four  major  parts  that  are  described  in  the 
following  paragraphs. 

Part  1  -  develop  system  and  functional  block  dia¬ 
grams.  These  diagrams  identify  the  different  parts  of 
the  system  (hardware)  and  functions  ( squishyware ). 

Their  position  on  the  physical  -  functional  paths  are 
described  as  being  in  series  or  parallel  (Figure  8.9). 

The  elements  that  appear  in  series  must  all  function 
for  the  system  to  function.  The  failure  of  any  element 
in  series  constitutes  loss  of  function  or  "failure.” 

The  elements  that  are  in  parallel  operate  as  re¬ 
dundant  elements.  One  of  them  must  function  for  the 
system  to  function.  The  failure  of  one  of  the  parallel  el¬ 
ements  does  not  constitute  failure  of  the  component 
formed  by  the  two  parallel  elements.  Both  must  fail  for 
the  component  formed  by  the  two  parallel  elements  to 
fail. 


Part  2  -  develop  the  fault  trees.  Starting  from  the 
top  failure  event  of  interest,  the  tree  is  constituted  of  a 
sequence  of  gates  representing  the  logical  unions  and 
intersections  of  events  that  can  lead  to  the  top  failure 
event  (Figure  8.10).  The  variable  located  just  above  a 
gate  is  equal  to  the  logical  function  of  all  variables  lo¬ 
cated  below  the  gate.  This  requires  that  those  events 
that  are  necessary  and  sufficient  to  cause  the  output 
event  appear  as  inputs  to  the  corresponding  gate. 

Part  3  -  evaluate  the  probability  of  the  top  failure  event.  The  probability  of 
the  top  event  (P[F])  is  based  on  the  theory  for  the  probability  of  unions  and  the 
expansion  of  joint  probabilities  as  products  of  conditional  and  marginal  proba¬ 
bilities.  For  the  example  shown  in  Figure  8.9,  this  probability  is: 

P[F]  =  P[A  u(Bn  C)]  (8.8) 


^  output 

Figure  8.9  -  System  / 
functional  block  dia¬ 
gram 
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P[F]  =  P[A]  +  P[B  n  C)]  -  P[An  B  n  C)]  (8.9) 

P[F]  =  P[A]  +  P[B]  P[C  I B]  -  P[A]  P[B  I  A]  P[C  I B]  (8.10) 

If  the  joint  probability  of  A,  B, 


and  C  is  small  enough  compared  with 
the  probability  of  the  individual  failure 
paths,  this  expression  can  be  simplified 
to: 

P[F]  «  P[A]  +  P[B]  +  P[C  I B] 

(8.11) 

If  C  and  B  are  independent 
events,  then: 

P[F]  *  P[A]  +  P[B]  +  P[C] 

(8.12) 

Part  4  -  determine  the  effects  of 
the  intensity  of  "external"  events  that 
represent  input  to  the  system.  The  ex¬ 
ternal  event  or  input  to  the  system  is  de¬ 
noted  as  'E'  and  its  intensity  denoted  as 
'e'.  Based  on  the  total  probability  theo¬ 
rem: 

P[F]=IP[E=e]P[FIE=e] 

(8.13) 

This  approach  is  known  as  the 
fragility  approach  to  determining  the 
likelihood  of  the  failure  event  (P[F]).  A 
fragility  curve  (Figure  8.11)  represents 
the  likelihood  of  failure  given  that  an 
event  or  effect  has  a  given  intensity  or 
magnitude  (P[F  I  E=e]).  Such  curves 
can  be  developed  from  experiments  on 
elements  or  from  analyses  of  these  el¬ 
ements. 

Hazard  or  exposure  analyses  de¬ 
fines  the  likelihood  associated  with  the 
occurrence  of  different  intensities  of  the 
event  or  effect  of  interest  (P[E=e]). 

In  the  example  developed  here, 
the  probability  of  system  failure  condi¬ 
tional  on  E=e  can  be  developed  as: 


failure 


P[A]  P[B  n  C)] 


Figure  8.10  -  Fault  Tree  representa¬ 
tions  of  system  in  Figure  8.9 


Figure  8.11  -  Fragility  curves  for  ele¬ 
ments  in  system  shown  in  Figure  8.9 
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P[F  I  E=e]  =  P[A  I  E=e]  +  P[B  I  E=e]  P[C  I B  n  E=e] 

-  P[A  I  E=e]  P[B  I A  n  E=e]  P[E  lAnBn  E=e]  (8. 14) 

In  many  cases,  the  last  term  can  be  neglected.  However,  the  potential  cou¬ 
pling  provided  by  E  among  the  component  failures  may  increase  P[E  lAnBn 
E=e].  This  must  be  determined  uniquely  for  each  system  and  the  external 
events  of  interest.  Again,  approximately: 

P[F  I  E=e]  *  P[A  I  E=e]  +  P[B  I  E=e]  +  P[C  I  E=e]  (8.15) 

Event  Tree  Analyses.  Event  Trees  are  the  conceptual  reverse  of  Fault 
Trees.  Event  and  Fault  Trees  frequently  are  used  in  combination  in  perform¬ 
ing  a  PRA  or  QRA.  Event  Trees  proceed  through  the  same  four  steps  outlined 
for  FTA. 

Figure  8.12  shows  an  Event  Tree  for  the  system  identified  in  Figure  8.9. 

Event  trees  are  initiated 
with  an  event  that  is  important  to 
the  quality  of  the  system.  This  is 
the  trunk  of  the  tree. 

A  sequence  of  events  are 
then  examined  to  determine  how 
failure  might  occur.  These  sub¬ 
sequent  events  are  frequently 
posed  in  the  form  of  questions. 

An  Event  Tree  is  formed  of  an  or¬ 
dered  sequence  of  events  that  can 
lead  to  an  outcome  of  interest. 

Deductive  logic  is  used  to  form 
Event  Trees.  F  =  failure 

NF  =  non  failure 

An  initiating  event  is  iden¬ 
tified  followed  by  a  definition  of  Figure  8.12  -  Event  Tree  representation  of 
the  possible  sequences  of  follow-  system  shown  in  Figure  8.7 

ing  events.  Each  branching  point 
in  the  Event  Tree  is  termed  a 
node.  Each  event  at  a  given  node 

must  be  represented  by  a  mutually  exclusive,  collectively  exhaustive  set  of  val¬ 
ues  or  outcomes  (e.g.  outcome  =  yes  or  no  in  answer  to  the  question  posed). 
There  can  be  any  number  of  branches  at  a  given  node  as  long  as  they  are  mu¬ 
tually  exclusive  (do  not  have  overlapping  sample  spaces)  and  exhaustive  (their 
probabilities  sum  to  unity). 

Each  node  is  followed  by  branches  that  represent  the  possible  outcomes. 
The  probabilities  attached  to  these  branches  define  the  outcome  likelihood  dis¬ 
tribution  conditional  on  the  values  of  the  previous  random  variables  in  the  tree 
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Recognition  of  the  conditional  nature  of  the  probabilities  in  the  tree  structure  is 
a  critical  consideration. 

The  end  point  or  leaf  of  the  Event  Tree  defines  the  outcome  of  the  se¬ 
quence  of  events. 

The  sum  of  the  failure  leaves  of  the  Event  Tree  shown  in  Figure  8.12  de¬ 
fine  the  probability  of  failure  of  the  system: 

P[F]=P[A]  +  (1-P[A])P[B]P[CIB]  (8.16) 

P[F]  =  P[A]  +  P[B]  P[C  I  B]  -  P[A]  P[B]  P[C  I B]  (8.17) 

Assuming  independence  of  the  events  A,  B,  C: 

P[F]  =  P[A]  +  P[B]  +  P[C]  (8.18) 

These  are  the  same  results  developed  earlier  for  the  FTA  of  the  system 
in  Figure  8.9.  Given  that  there  is  an  intensity  or  magnitude  associated  with 
initiation  of  input  to  the  system,  then  this  can  be  handled  in  the  same  manner 
as  outlined  for  the  FTA. 

Influence  Diagram  Analyses.  Influence  Diagrams  are  equivalent  to 
Event  and  Fault  Trees.  They  use  a  different  graphical  representation.  An 
Influence  Diagram  is  represented  by  a  graphical  portrayal  of  nodes  that  repre¬ 
sent  relevant  decisions,  actions,  and  influences  that  determine  an  outcome 
that  is  of  interest. 

The  components  of  an 
Influence  Diagram  (Figure 
8.13)  are:  (1)  decision  and 
chance  nodes,  (2)  arrows,  (3) 
deterministic  nodes,  and  (4) 
value  nodes  [Howard,  1990]. 

Decisions  are  repre¬ 
sented  by  square  nodes  which 
can  be  a  continuous  or  discrete 
variable  or  a  set  of  decision  al¬ 
ternatives.  Uncertain  events 
or  variables  are  represented  by 
circular  or  oval  chance  nodes. 

Chance  nodes  can  be  continu¬ 
ous  or  discrete  random  vari¬ 
ables  or  a  set  of  events. 

Arrows  indicate  relationships  between  nodes  in  the  diagram.  Arrows 
entering  a  chance  node  signify  that  the  probability  assignments  of  the  node  are 
conditional  upon  the  node  from  which  the  arrow  originated. 


Decision 

node 

Value 

node 

OO  ‘S? 

Expected 

value 

node 

( 

v  Deterministic 
/  node 

►  Arrow 

Figure  8.13  -  Components  that  comprise 
Influence  Diagrams 
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Deterministic  nodes  are  those  in  which  outcomes  depend  deterministi¬ 
cally  upon  its  predecessors.  A  value  node  is  "the  quantity  whose  certain  equiv¬ 
alent  is  to  be  optimized  by  the  decisions"  of  which  only  one  node  may  be  desig¬ 
nated  in  the  diagram.  Value  nodes  may  be  a  distribution  of  possible  values. 
This  is  represented  by  a  rounded  edge  single-border  node.  The  value  node  may 
also  be  represented  as  the  expected  value.  These  nodes  are  represented  by  a 
rounded  edge  double-border  rectangle. 

Each  node  corresponds  to  a  file  that  describes  the  values  of  the  corre¬ 
sponding  variables  or  event  sets  and  their  conditional  probability  distributions. 

Figure  8.14  shows  an  IDA 
of  the  system  in  Figure  8.9. 

Reduction  of  the  probability 
nodes  would  be  accomplished  as 
follows: 

P[F]  =  P[A]  +  P[B]  P[C  I B] 

-  P[A]  P[B  I  A]  P[C  I B] 

(8.19) 

The  evaluation  of  the 
probabilities  (P[E]  and  intensities 
(E=e)  associated  with  the  input 
or  initiating  demand  in  Figure 
8.11  could  be  analyzed  as  follows: 

P[F]  =  IP[E=e]P[FIE=e] 

(8.20) 

Atrain  this  is  direetlv  Figure  8.15  -  Influence  Diagram  represen- 
equivalent  to  the  results  devel-  tation  of  system  in  Fi^re  8  9 

oped  for  the  FT  A  and  ETA  of  the 
same  system. 


Pros  and  Cons  of  FT  A,  ETA,  and  IDA 

FTA  portray  a  static  picture  of  a  system  and  its  functions.  Time  effects 
or  sequences  are  not  captured.  FTA  do  not  easily  treat  continuous  systems  and 
the  propagation  of  failures  in  such  systems.  They  are  better  suited  to  binary 
states  (failure,  no  failure).  They  do  not  easily  account  for  partial  failure  states. 
FTA  are  best  used  to  identify  potential  failure  modes  and  to  evaluate  if  a  con¬ 
junction  of  events  can  lead  to  system  failure. 

ETA  can  include  continuous  variables  and  notions  of  time.  The  events 
in  an  ETA  can  be  ordered  in  any  convenient  way  provided  that  the  condition¬ 
ally  between  the  nodes  /  branches  is  respected  in  the  evaluations.  ETA  are  not 
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able  to  capture  easily  a  functional  analysis.  At  the  end  of  an  ETA  scenario,  the 
implications  of  that  scenario  may  need  to  be  determined  by  a  FTA  or  some 
other  technique. 

IDA  is  a  type  of  probabilistic  modeling  which  allows  great  flexibility  in 
examining  HOE  and  HOE  management  alternatives.  There  are  some  distinct 
advantages  for  using  influence  diagrams  as  an  alternative  to  FTA  and  ETA. 

It  is  not  necessary  for  all  nodes  to  be  ordered  in  an  IDA.  This  flexibility  allows 
for  decision  makers  who  agree  on  common  based  states  of  information,  but  dif¬ 
fer  in  ability  to  observe  certain  variables  in  the  diagram  modeling  [Howard, 
Matheson,  1981].  IDA  are  able  to  organize  conditional  probability  assessments 
required  to  determine  unconditional  probabilities  of  failures  of  specified  target 
events. 

It  is  to  be  emphasized  that  FTA,  ETA,  and  IDA  are  complimentary. 
They  can  be  used  for  different  purposes,  to  develop  different  details,  for  to  illus¬ 
trate  or  evaluate  different  ways  of  thinking.  The  author  has  found  many  that 
do  not  easily  think  in  FTA  terms,  yet  think  easily  in  ETA  terms.  Many  find 
IDA  confusing  and  complex.  The  approach  used  should  match  the  specific 
problem,  the  users,  and  the  objective  of  the  analyses. 


Analysis  Software 

Some  excellent  computer  software  is  now  available  to  perform  FTA, 
ETA,  and  IDA.  Codes  that  have  been  used  by  the  author  include  InDia 
[Decision  Focus  Inc.,  1994],  ©Risk  [Palisade  Corp.,  1994a],  and  DATA 
[Palisade  Corp.,  1994b],  and  DPL  (Decision  Programming  Language)  [Palisade 
Corp.,  1994c] 

InDia  is  a  Personal  Computer  (PC)  based  program  designed  specifically 
to  perform  IDA.  There  is  a  very  convenient  graphical  interface  to  construct 
the  Influence  Diagrams  and  provide  the  associated  descriptions  of  the 
variables  and  their  probabilities.  Portions  of  the  IDA  can  be  evaluated. 
Sensitivity  analyses  are  easily  performed  to  determine  the  effects  of  changes  in 
critical  variables  and  dependencies. 

©Risk  is  designed  for  a  variety  of  types  of  probability  analyses  based  on 
Excel  spreadsheets  for  both  PC  and  Macintosh  (Mac)  computers.  Monte  Carlo 
analyses  can  be  performed  to  evaluate  the  probabilities  in  any  spreadsheet 
model.  Graphical  interfaces  are  highly  developed  DPL  is  very  similar  to 
InDia,  however,  it  also  can  perform  ETA  and  FTA.  DATA  is  designed  for  both 
PC  and  Mac  platforms,  and  is  designed  specifically  to  allow  evaluations  of 
Decision  Trees  (FTA,  ETA).  The  trees  are  structured  graphically.  The 
probabilities  of  event  are  input  in  the  tree  graphical  format.  Output  graphics 
are  excellent. 

As  with  any  tool,  the  quality  of  the  analyses  and  the  use  of  the  associated 
computer  codes  lies  with  the  user.  The  trees  or  event  analyses  must  be  built 
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correctly;  they  must  capture  the  essence  of  the  system  and  the  functions.  The 
event  sequences  and  potential  failure  scenarios  must  be  properly  identified  and 
structured.  The  quantitative  input  characterizations  must  be  reasonable. 
Elegant  simplicity  instead  of  unnecessary  complexity  is  to  be  encouraged  so 
that  the  input,  process,  and  output  can  be  understood  by  a  variety  of  individu¬ 
als  concerned  with  improving  quality  in  design  and  construction  of  ship  struc¬ 
ture. 


Summary 


This  chapter  has  outlined  three  approaches  to  developing  evaluations  of 
HOE  effects  on  the  quality  of  ship  structures: 

1)  qualitative  (subjective  evaluations), 

2)  quantitative  (objective  evaluations),  and 

3)  mixed  qualitative  -  quantitative  (rule  -  rating  evaluations). 

Appendix  C  summarizes  two  approaches  to  develop  the  third  type  of 
evaluation.  Given  the  dearth  of  reliable  and  detailed  data  to  perform  quantita¬ 
tive  evaluations,  the  third  type  of  approach  holds  much  promise  for  application 
in  ship  design  and  construction  HOE  evaluations.  The  mixed  qualitative  - 
quantitative  approach  avoids  the  majority  of  the  explicit  detail  and  complexity 
of  PRA  -  QRA  quantitative  approaches. 

These  three  approaches  are  complimentary.  They  should  be  used  at  dif¬ 
ferent  stages  of  evaluating  a  particular  system.  The  qualitative  and  mixed  ap¬ 
proaches  can  be  used  to  screen  systems  to  identify  the  critical  or  important  po¬ 
tential  failure  modes  in  a  given  system.  These  critical  failure  modes  can  then 
become  the  focus  of  the  detailed  quantitative  approach. 

Presently  available  information  that  can  be  used  to  provide  quantifica¬ 
tions  of  HOE  effects  have  been  summarized.  The  information  is  sketchy. 
Important  future  efforts  should  be  directed  at  developing  more  adequate  data 
on  HOE  effects  in  design,  construction,  and  operation  of  ship  structures. 

In  their  best  form,  application  of  these  approaches  can  represent  un¬ 
common  common  sense  and  good  management.  They  are  intended  to  formal¬ 
ize  and  discipline  what  high  quality,  reliability,  and  productivity  individuals 
and  organizations  have  been  developing  in  the  past  using  other  means;  gener¬ 
ally  hard  won  but  often  easily  forgotten  lessons  of  how  to  achieve  quality  in  the 
face  of  inevitable  obstacles. 

The  quality  of  what  is  developed  using  any  of  the  approaches  is  directly 
dependent  on  the  quality  of  the  background  and  experience  of  the  individuals 
and  procedures  that  are  used  to  perform  the  assessments  and  evaluations. 
Most  important  are  the  incentives,  motivations,  resources,  and  rewards  pro¬ 
vided  for  those  performing  the  assessments  and  evaluations.  The  incentives 
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need  to  be  directed  toward  the  primary  objective:  find  out  how  best  to  improve 
the  reliability  and  quality  of  the  ship  structure. 

The  motivations  behind  the  evaluations  need  to  be  positive:  to  do  the  best 
job  possible  to  define  how  to  achieve  quality.  A  critical  motivation  should  be  to 
empower  those  on  the  front  lines  of  the  activities  that  have  direct  effects  on  the 
quality  of  ship  structures. 
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EXAMPLES* 
QUALITATIVE  &  QUANTITATIVE 

ANALYSES 


Introduction 


The  objective  of  this  chapter  is  to  illustrate  how  the  previous  develop¬ 
ments  documented  in  this  report  can  be  used  to  define  measures  to  improve 
the  quality  of  ship  structures  during  the  design  process.  The  examples  are  fo¬ 
cused  on  human  error  control  and  management  during  the  design  process. 
The  fundamental  objective  of  these  measures  is  to  assure  that  a  defined  level  of 
quality  in  the  ship  structure  is  achieved  with  a  given  reliability. 

The  chapter  will  first  outline  generic  ship  design  and  construction  pro¬ 
cesses.  This  outline  is  intended  to  provide  a  representative  template  for  illus¬ 
trating  how  evaluations  of  HOE  effects  might  be  analyzed  and  evaluated  to  im¬ 
prove  quality  in  ship  structures. 

Generic  ship  structure  design  and  construction  processes  are  outlined 
in  the  first  parts  of  this  chapter.  These  generic  design  and  construction  pro¬ 
cesses  can  form  the  general  framework  for  future  evaluations  of  quality  man¬ 
agement  alternatives  in  design  and  construction  of  ship  structures. 

The  generic  ship  design  process  is  further  developed  using  a  quantita¬ 
tive  probabilistic  approach.  This  development  is  used  to  illustrate  the  applica¬ 
tion  of  the  background  developed  in  the  previous  chapter  on  the  quantitative 
approach.  This  development  is  used  in  the  ship  design  examples  detailed  in 
the  last  parts  of  this  chapter. 

Two  examples  concerning  the  design  of  ship  structures  will  address  the 
activities  of  the  individuals  that  perform  the  design  (design  team),  the  organi¬ 
zations  that  influence  the  performance  and  activities  of  the  design  team,  and 
the  procedures  used  by  the  design  team  (design  guidelines,  classification  re¬ 
quirements,  software,  design  procedures).  The  ergonomic  considerations  of 
hardware  (e.g.  computers)  and  internal  environmental  (office  lighting,  venti¬ 
lation)  aspects  will  not  be  addressed  in  these  examples. 
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The  examples  address  alternatives  for  improving  QA  /  QC  before  and 
during  the  design  process.  These  alternatives  have  been  outlined  in  Chapter  7. 
A  quantitative  formulation  will  be  developed  later  in  this  chapter. 

Two  non-ship  structure  examples  of  quantitative  analyses  to  improve  the 
quality  of  the  structures  of  offshore  platforms  have  been  included  in  this  re¬ 
port.  These  examples  contain  many  similarities  to  problems  that  have  been 
encountered  in  the  design  of  ship  structures. 

The  first  example  addresses  improved  management  of  HOE  in  the  de¬ 
sign  of  the  Sleipner  B  offshore  platform.  The  analyses  in  this  example  were 
performed  by  Lt.  Robin  Noyes  as  a  term  project  in  the  course  Reliability  Based 
Design,  Construction,  and  Maintenance  Criteria  for  Marine  Structures  [Bea, 
1994].  This  example  examines  one  specific  operation  in  the  design  process;  the 
finite  element  analysis  of  the  platform  base  "star  cell"  intersections.  The  ef¬ 
fects  of  improvements  in  three  critical  parts  of  the  analysis  process  are  exam¬ 
ined. 


As  discussed  previously  in  this  report,  it  was  a  similar  design  error  that 
caused  the  failure  (sinking)  of  the  Sleipner  A  platform.  This  example  relies  on 
the  use  of  FTA  and  ETA  to  perform  the  quantitative  analyses.  This  example 
will  be  summarized  later  in  this  chapter. 

The  second  example  addresses  the  improved  management  of  organiza¬ 
tion  errors  in  the  design  of  the  decks,  jackets,  and  foundations  of  conventional 
offshore  platforms.  This  example  is  based  earlier  research  performed  by 
Professor  Pat^-Cornell  and  the  author  [1989,  1992],  This  example  examines 
the  generic  processes  involved  in  design  of  the  three  principal  components  that 
comprise  platforms  (deck,  jacket,  foundation)  and  the  effects  of  checking  on 
improving  the  reliability  of  the  design  process.  The  design  phase  is  analyzed 
in  the  context  of  the  construction  and  operations  phases.  This  example  relies 
on  the  use  of  IDA  to  perform  the  quantitative  analyses.  This  example  is  sum¬ 
marized  in  Appendix  D. 


Commercial  Ship  Structure  Design  and  Construction 


The  commercial  ship  design  and  construction  process  has  been  studied 
and  documented  by  the  Infrastructure  Study  in  Shipbuilding  Project  Office, 
Manufacturing  Technology  Branch,  Manufacturing  Systems  Division, 
Systems  Department  of  the  David  Taylor  Research  Center  in  cooperation  with 
the  Office  of  the  Associate  Administrator  for  Shipbuilding  and  Ship 
Operations,  Maritime  Administration,  U.  S.  Department  of  Transportation 
[Karaszewski,  Wade,  1990]. 

The  objective  of  this  study  was  to  undertake  an  analysis  of  the  U.  S. 
commercial  shipbuilding  infrastructure  as  of  1990,  with  the  goal  being  that  of 
identifying  the  time-critical  functions  within  the  ship  acquisition  process. 
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Participants  in  the  study  included  customer  organizations,  ship  design 
and  systems  engineering  organizations,  classification  societies,  financial  in¬ 
stitutions,  supply  /  service  vendors  and  subcontractors,  government  agencies, 
labor  organizations,  and  academic  /  training  institutions. 

The  analysis  method  utilized  in  this  study  was  identified  as  the  IDEF 
(ICAM  Definition  language).  This  process  is  the  standard  approach  used  to 
define  manufacturing  system  requirements  in  many  Department  of  Defense 
manufacturing  programs  and  evolved  from  the  Air  Force  ICAM  (Integrated 
Computer  Aided  Manufacturing)  program.  IDEF  was  used  to  produce  the  fol¬ 
lowing  three  models  [Karaszewski,  Wade,  1990]; 

•  Functional  model  -  a  structured 
representation  of  the  functions  of  a 
system  and  of  the  information  and 
objects  which  interrelate  those  func¬ 
tions. 

•  Information  model  -  a 
representation  of  the  structure  and 
semantics  of  information  within  the 
system. 

•  Dynamic  model  -  a  representation  of 
the  time  varying  behavior  of  the 
process. 

The  IDEF  mechanics  involved 
definition  of  the  key  Functions  (activities)  within  the  shipbuilding  process. 
Associated  with  each  of  the  Functions  were  identified  Controls,  Inputs, 
Mechanisms,  and  Outputs  (Figure  9.1). 

The  IDEF  commercial  ship  design  and  construction  process  and  the  av¬ 
erage  time  required  to  complete  each  portion  of  the  process  are  summarized  in 
Figure  9.2  [Karaszewski,  Wade,  1990].  This  process  is  very  similar  to  that  de¬ 
fined  by  Palermo  [1986]  for  U.  S.  military  ships  and  Glimmer  [1975]  for  U.  S. 
commercial  ships. 

At  the  highest  level  of  aggregation,  three  key  IDEF  Functions  were  iden¬ 
tified: 


controls 


mechanisms 


Figure  9.1  -  Fundamental  IDEF 
model  mechanics 


•  Develop  a  ship  concept  -  activities  associated  market  analysis,  customer 
requirements,  concept  design,  and  preliminary  design. 

•  Secure  a  contract  -  development  of  a  contract  package,  including  contract 
plans  and  specifications,  acquisition  of  capital  financing,  and  selection 
of  a  shipyard. 
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•  Build  and  deliver  a  ship  -  detailed  design,  material  procurement,  con¬ 
struction,  testing,  trials,  and  delivery. 


Figure  9.2  -  Generic  commercial  ship  design  &  construction  process 


Ship  Structure  Design 


The  IDEF  Functional  models  for  Development  of  a  Ship  Concept, 
Performance  of  the  Concept  Design,  and  Development  of  a  Detailed  Design  are 
summarized  in  Figures  9.3,  9.4,  and  9.5,  respectively.  These  models  define  the 
key  inputs,  controls,  mechanisms,  and  outputs  associated  with  each  of  these 
models.  This  provides  important  information  and  insight  regarding  the  poten¬ 
tial  human,  organizational,  hardware,  procedure,  and  environmental  aspects 
that  could  influence  the  quality  of  the  ship  structure. 


Concept  Design 

The  Concept  Design  Function  (Figure  9.3)  is  the  first  step  in  the  design 
process.  The  purpose  often  is  to  translate  a  set  of  operational  requirements 
into  the  approximate  physical  characteristics  of  a  ship  structure. 

The  Function  constitutes  technical  feasibility  studies  to  establish  the 
ship  characteristics  all  of  which  are  intended  to  meet  the  required  space  and 
cargo  cubic  and  deadweight  requirements  defined  by  the  customer. 
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STTSTTT 


Variations  in  design 
configuration  are  generally 
analyzed  in  parametric 
studies  during  this  Function 
to  determine  the  most 
economical  design  solution. 
The  developments  during  this 
Function  are  important 
because  they  form  the 
fundamental  bases  for  the 
subsequent  design 
developments. 


Preliminary  Design 

The  Preliminary 
Design  Function  (Figure  9.4) 
involves  the  development  and 
refinement  of  the  principal 
characteristics  of  the  ship 
structure  with  greater 
precision  that  required  during 
the  concept  design  stage. 
These  characteristics  include 
the  principal  ship 
dimensions,  hull  form 
parameters,  and  a  general 
arrangement  and  the  hull's 
structural  configuration. 


The  entire  process  is 
iterative  (the  design  spiral ) 

[Taggart,  1980].  The 
preliminary  design  package  Figure 
reflects  the  economic  viability 
of  the  design  as  well  as  the 
necessary  engineering  considerations 


Figure  9.3  -  Concept  Design  Function 


Figure  9.4  -  Preliminary  Design  Function 


The  preliminary  design  process  operates  under  some  important  con¬ 
straints  that  include  industry  practice,  performance  requirements,  and  the 
body  of  rules  and  classification  requirements  (laws  and  regulations).  Key  in¬ 
puts  to  the  preliminary  design  that  were  defined  in  the  concept  design  include 
customer  requirements  (first  cost  generally  being  a  major  requirement  to  se¬ 
cure  the  contract)  and  the  design  knowledge  base.  This  base  is  comprised  of 
the  information  and  empirical  data  pertaining  to  the  class  of  ship  design  being 
considered. 
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Detailed  Design 


The  Detailed  Design  Function  (Figure  9.5)  includes  the  final  and  most 
detailed  level  of  the  design  process.  The  detailed  design  is  intended  to  result  in 
the  precise  definition  of  the  ship  configuration,  definition  of  all  material  re¬ 
quirements  and  the  preparation  of  manufacturing  support  information. 

The  IDEF  Detailed 

Design  Function  identified  five  Fu^km. 

primary  categories  of  activities  L.bcr  Ration. 

*  ^  ”  Economic  Conditions 

that  comprise  the  detailed  i^rv 

_  r  Vetoes  snd  Attitudes 

design:  - 

IMHJTt  . 1 . ■■■■■■■■  - 

Design  Modifications  . .  . “1  OUIWJTI 

1 'i  Final  dpfinifinn  nffhp  R"*ncW RMourcM  DEVELOP  1 

-U  rilldJ.  UemilLlUIl  Ul  Llle  D«liv»ry  Schwduk.  DFTAILPD  M«k. /  Buy  Plan 

T*chnlcit  Information  ♦  nccVAIj  Shop  Drawing. 

snip  system  -  Hum.n  RMourcM  DESIGN  U.lwl.l  R»qulram.nt. 

CONTRACT  - - -  D«lgn  M<xlHI»tlon» 

per  I0rII13.nCe  PACKAGE*  DESIGN  UhmmhhhmJ  Ship  Technical  Information 

requirements,  structural  _  x _ 

characteristics  and  ■  ijsfSkr 

internal  arrangements.  Mum*4«X're“ 

Fscilittos  *  Equipment 

Materials 

2)  Design  of  the  ship  - 

systems  and  components  Fi  9  5  .  Detailed  Design  Function 
-  individual  characteris¬ 
tics  of  all  of  the 

structural  elements, 

components  (assemblies  of  elements)  and  their  integration  into  the  ship 
structure  system. 

3)  Approval  of  the  design  -  evaluation  and  approval  of  the  structure  system 
by  the  owner,  classification  societies,  and  regulatory  agencies. 

4)  Development  of  a  production  approach  -  quality  standards,  hull  erection 
sequence,  outfitting  plan,  and  a  test  plan. 

5)  Preparation  of  shop  drawings  and  specifications  -  all  of  the  written  and 
graphical  documentation  required  to  produce  the  ship. 


Figure  9.5  -  Detailed  Design  Function 


The  principal  constraints  in  the  final  design  Function  are  the  design 
modifications  that  develop  from  the  review  of  the  contract  and  detailed  designs 
by  the  customer  and  regulatory  bodies,  the  shipyard  allocated  resources  to  the 
design  including  production  capabilities  and  design  monetary,  time,  human, 
testing,  and  schedule  resources. 
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Design  Analyses 


Details  of  the  content  of  the  ship  structure  design  process  and  the  asso¬ 
ciated  analyses  have  been  summarized  by  Hughes  [1983],  Rawson  and  Tupper 
[1983],  and  Taggart  [1980]. 


A  summary  of  the 
Detailed  Design  Process 
(Figure  9.2)  is  developed  in 
Figure  9.6.  The  process  is 
initiated  based  on  the  results 
of  the  preliminary  and 
construction  designs  (Figure 
9.2).  The  process  consists  of 
four  primary  Functions :: 

1)  Structure 
Configuration, 

2)  Structure  Loadings 
Analyses, 

3)  Structure  Analyses, 
and 

4)  Design  Documentation 

Specific  types  of 
detailed  design  activities  and 
analyses  are  identified  in 
Figure  9.6.  It  is  these 
detailed  design  activities  that 
can  become  the  activities  that 
are  evaluated  to  determine 
their  HOE  implications  and 
how  sufficient  quality  might 
best  be  assured. 


FROM  PRELIMINARY  DESIGN 

_ i _ 


STRUCTURE  CONFIGURATION 

•  Molded  Lines 

•  Materials,  Sections 

•  Shell  Plating 

•  Deck  Plating 

•  Longitudinal  Framing 

•  Transverse  Framing 

•  Intersections  &  Joints 

•  Pillars,  Girders,  &  Hatch  Coamings 

•  Bow  &  Stem  Structures 

•  Superstructure 

•  Foundations 

•  Bossings  &  Struts 

•  Bilge  Keels  and  Fenders 

'  ~  l  ' 


STRUCTURE  LOADINGS 

•  Global 

•  Local 

•  Still  Water  (loading,  unloading  proc. 

•  Wave  (static,  dynamic,  cyclic) 

•  Cargo  (pressures,  sloshing) 

•  Springing,  Slamming 

•  Thermal 

•  Construction  (IHting,  launching) 

•  Operations  (docking,  mooring) 

•  Accidental  (grounding,  collision) 


SOURCES 

•  Classification  Rules 

•  First  Principles  ■  Ship  Motions 

•  Laboratory  Testing 
^^^^ShijjMonltorinj^^ 


4 - 1 


STRUCTURE  ANALYSES 

•  Stresses,  Strains,  Deflections 

•  Global  -  Primary  Response 

•  Local  ■  Secondary,  Tertiary 

•  Racking,  twisting,  warping 

•  Permissible  Stresses  (axial,  bending, 

shear,  buckling,  fatigue) 

•  Deflections  (global,  local) 

•  Permissible  Deflections 


I 

SOURCES 

•  Classification  Rules 

•  First  Principles  -  Beam  Theory 

•  First  Principles  -  Finite  Element 

•  Laboratory  Testing 
•  Ship  Monitoring 


STRUCTURE  DESIGN 
DOCUMENTATION 

•  Primary  Ship  Structure  Drawings 
•  Ship  Structure  Detail  Drawings 
•  Materials  Specifications 

•  Fabrication  Specifications 

•  Operations  Specifications 
•  Maintenance  Specifications 


1 

TO  CONSTRUCT  &  COMMISSION  SHIP 


The  principal  sources  Figure  9.6  -  Generic  ship  structure  detailed 
of  information  that  can  be  design  process 
utilized  in  performing  the 
Structure  Loadings  Analyses 
and  Structure  Analyses  are 

identified  in  Figure  9.6.  In  a  subsequent  section  of  this  chapter,  this  generic 
detailed  design  process  will  be  the  basis  for  illustration  of  the  probabilistic 
analytical  approach  developments  of  the  previous  chapter. 
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Ship  Structure  Construction _ 


The  third  major  group  of  IDEF  activities  concerns  the  processes 
whereby  a  shipyard  and  its  suppliers  and  subcontractors  construct  and  deliver 
a  ship;  Build  and  Deliver  a  Ship.  This  Function  is  summarized  in  Figure  9.7. 

In  contrast  with  the 
preceding  activities,  the 
shipyard  is  primarily  on 
control  of  this  stage  of  the 
ship  building  process.  The 
IDEF  model  for  construction 
and  delivery  of  a  ship 
identified  four  major 
activities: 


1)  management  of  the 
shipyard  operation, 

2)  preparation  of  a 
detailed  design, 

3)  procurement  of  all 
materia  and 
equipment  that  will  be 
consumed  in  building  or  installed  on  the  ship,  and 

4)  fabrication,  assembly  and  testing  of  the  completed  ship. 

The  study  identified  an  important  activity  that  was  missing  from  the 
commercial  shipbuilding  process.  This  activity  involved  development  of  a 
technical  information  package  that  could  be  delivered  to  the  customer  with  this 
ship.  This  owner  and  operators  manual  would  embody  all  of  the  ship  opera¬ 
tion  and  maintenance  that  should  be  in  the  hands  of  the  owner  and  operator. 
This  would  be  assembled  from  a  variety  of  sources  throughout  the  entire  pro¬ 
duction  process.  This  ship  design  and  construction  database  could  form  the 
foundation  for  the  development  of  a  Marine  Structural  Integrity  Program  for 
the  ship  throughout  its  life  [Bea,  1993]. 

The  primary  inputs  to  this  Function  include  the  contract  package,  the 
preliminary  production  plan,  and  the  human  and  financial  resources  plans. 
The  primary  outputs  include  the  allocated  resources  to  build  the  ship,  the  bud¬ 
gets,  schedules  and  procedures,  the  customer  relations  plan,  and  the  business 
data  the  monitors  the  overall  cost  and  schedule  performance  of  the  shipyard  in 
relation  to  the  ship  construction  contract. 

The  primary  controls  on  the  ship  production  include  applicable  laws 
and  regulations,  economic  conditions  that  influence  make  and  buy  decisions, 


Figure  9.7  -  Build  and  deliver  ship  function 
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labor  relations,  and  industry  -  shipyard  practices.  The  primary  mechanisms 
include  qualified  human  resources  (for  management,  design,  production  and 
QA  /  QC  activities),  systems  required  to  manage  the  shipyard  operations,  and 
the  facilities  and  equipment  including  all  of  the  hardware  required  to  adminis¬ 
ter  the  shipbuilding. 

Based  on  the  IDEF  shipbuilding  study,  and  the  information  documented 
by  Taggert  [1980],  a  generic  ship  structure  construction  system  has  been  devel¬ 
oped.  This  system  is  summarized  in  Figure  9.8.  The  system  identifies  five 
major  categories  of  primary  activities: 

1)  planning  and  scheduling, 

2)  lofting, 

3)  steel  procurement  and  storage, 

4)  steel  cutting  and  forming,  and 

5)  fabrication  and  erection. 


Figure  9.8  -  Generic  principal  activities  in  construction  of  ship  structures 


In  addition,  the  system  identifies  six  secondary  activities  that  have  di¬ 
rect  effects  on  the  fabrication  and  erection  activity.  These  include  dimensional 
controls,  surface  preparations,  painting,  welding,  modifications,  and  defect 
repairs.  Note  that  the  major  QA  /  QC  activities  are  included  within  the  five 
principal  categories  of  activities. 
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As  for  the  generic  detailed  design  process  developed  earlier  (Figure  9.6), 
this  generic  construction  process  can  be  used  at  the  starting  point  for  develop¬ 
ing  evaluations  of  construction  activities  and  the  HOE  effects  on  these  activi¬ 
ties. 


The  developments  that  follow  in  this  chapter  and  report  will  be  directed 
at  the  ship  design  process.  This  was  dictated  by  the  defined  scope  of  work  for 
this  project.  It  will  be  seen  that  the  design  process  related  developments  and 
applications  are  also  applicable  to  the  construction  process. 


Ship  Structure  Design  Quantitative  Formulation 


A  system  diagram  expression  of  how  HOE  can  influence  the  quality  of  a 
marine  system  is  illustrated  in  Figure  9.10.  The  background  for  this  diagram 
will  be  developed  based  on  a  quantitative  probabilistic  approach  in  this  section. 

In  this  development,  the  human  error  classifications  (individuals,  or¬ 
ganization,  hardware,  procedures,  systems)  that  have  been  developed  in  this 
project  are  assumed  to  identify  sets  of  mutually  exclusive  and  exhaustive 
causes. 


First  Level  -  Failure  to  Achieve  the  Desired  Quality 

The  System  in  Figure  9.10  refers  to  the  ship  structure  system.  The  qual¬ 
ity  of  the  ship  structure  system  can  be  directly  influenced  by  two  primary  cate¬ 
gories  of  factors:  l)Environments  (E),  and  2)  Human  Errors  (O). 

The  category  Environments  represented  by  E  represent  hazards  that  can 
result  in  compromises  in  the  quality  of  the  ship  structure  that  are  natural  or 
due  to  inherent  randomness.  The  category  of  Human  Errors  represented  by  O 
represent  hazards  that  can  result  in  compromises  in  the  quality  of  the  ship 
structure  that  are  unnatural  or  due  to  human  errors. 

The  ship  structure  quality  attributes  are  defined  as  serviceability,  safety, 
durability,  and  compatibility.  These  are  the  four  attributes  that  define  the 
quality  of  a  ship  structure.  An  insufficient  quality  attribute  (i  =  1  =  serviceabil¬ 
ity,  i  =  2  =  safety,  i  =  3  =  durability,  i  =  4  =  compatibility)  can  be  caused  by  natu¬ 
ral  causes  /  inherent  randomness  (E)  and  /  or  human  error  (O). 

The  likelihood  of  insufficient  quality  in  the  ship  structure  is  indicated  as 
the  probability  of  failure  (PfQ).  The  likelihood  of  insufficient  quality  (failure)  is 
the  union  of  the  Likelihoods  of  insufficient  serviceability,  Pfi,  safety,  Pf2,  dura¬ 
bility  Pf3,  and  compatibility  Pf4: 

PfQ  =  UPfi  (i  =  1  to  4)  (9.1) 
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structure  fails 
due  to  insufficient 


errors  in  loading  analyses  due  to  design  "team" . 


violations'  ignorance]  mistakes  planning  &  I  selection  &  limitations  & 
— .  .  .  |7' 1  .  .  .ITT-!.  .  .  f.  preparations .  training  impairment- 


organizational 

causes 


hardware 


design  team  errors  due  to 


Figure  9.10  -  System  -  procedures  analysis  incorporating  environmental  and 
human  error  influences 


Insufficient  Quality  -  With  and  Without  HOE 

The  probability  of  failure  of  any  one  of  the  quality  attributes  due  to  inher¬ 
ent  randomness  will  be  identified  as  PfiE.  The  probability  of  failure  of  any  one 
of  the  quality  attributes  due  to  human  error  will  be  identified  as  PfiO-  Then: 

Pfi  =  {PfiE  I  0}  P[0]  +  {PfiE  I  0}  P[01  +  PfiO  P[0]  (9.2) 

where 

P[0]  =  1  -  P[0]  =  probability  of  no  human  error  (9.3) 
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Life-Cycle  Phases  of  Quality 

The  likelihood  of  insufficient  quality  in  the  ship  structure  due  to  human 
error  could  be  evaluated  in  the  design  (Yi),  construction  (Y2),  and  operations 
(Y3)  phases  as  follows: 

PfiO  =  U  Pf  [Yi  I  OYil  P  [OYil  (i  =  1  to  3)  (9.4) 

where  OYi  indicates  a  human  error  that  occurs  in  one  of  the  three  life-cycle 
phases  of  the  ship  structure. 

Quality  in  One  Phase  of  the  Life  Cycle 

The  likelihood  of  insufficient  quality  in  the  ship  structure  due  to  the  in¬ 
fluences  of  individuals  during  the  design  phase  (1.0)  could  be  evaluated  as  fol¬ 
lows: 


Pfi[Yi  I  OYil  =  PfitYi.i  I  OY1.1]  P  [OYl.ll  u  Pfi[Yi.2 1  OY1.21  P  [Oyi.21 
u  Pfi[Yi.3 1  Oyi.31  P  [OY1.3]  u  Pfi[Yi.4 1  OY1.41  P  [OY1.41 

(9.5) 

where  the  subscripts  l.l,  1.2,  1,3,  and  1.4  refer  to  the  configuration  of  the  ship 
structure,  the  loading  analyses,  the  structure  analyses,  and  the  design  docu¬ 
mentation  respectively.  These  are  the  four  major  components  that  have  been 
identified  to  form  the  design  activities  (Figure  9.6). 


Quality  in  One  Part  of  One  Phase  of  the  Life  Cycle 

The  likelihood  of  insufficient  quality  in  the  ship  structure  due  to  human 
error  during  the  loading  analyses  could  be  evaluated  as  follows: 

Ph[Yl.2l  =  U  (Pfi  I  Oj)  P[0j  I  Y1.2]  (j  =  1  to  8)  (9.6) 

where  (Pfi  I  Oj)  refers  to  the  probability  of  insufficient  quality  of  type  i 
(serviceability,  safety,  durability,  compatibility)  of  the  ship  structure  due  to 
(conditional  upon)  a  human  error  of  type  j.  P[Oj]  refers  to  the  probability  of  the 
human  error  of  type  j. 
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The  human  error  type  j 
subscripts  1  through  8  refer  to  the 
individual  human  error  classification 
system  developed  in  this  project.  This 
system  is  summarized  in  Figure  9.11. 

The  eight  mutually  exclusive  and 
exhaustive  categories  include 
communications,  slips,  violations, 
ignorance,  planning  and  preparation, 
selection  and  training,  limitations  and 
impairment,  and  mistakes. 

(Pfi  I  Oj)  is  the  "fragility"  curve 
for  the  hull  structure.  As  discussed 
previously  in  this  report,  this  fragility 
curve  could  be  developed  analytically  by  Figure  9.11  -  Classification  of  human 
determining  how  the  particular  quality  errors 
characteristic  of  the  ship  hull  struc¬ 
ture  (e.g.  its  capacity)  is  influenced  by 
different  types  and  "intensities"  of  errors. 

This  explicit  evaluation  of  variable  error  intensities  or  magnitudes  could 
be  avoided  if  it  were  assumed  that  the  errors  being  addressed  were  those  that 
resulted  in  very  significant  or  major  degradation  in  quality.  This  would  be 
equivalent  to  defining  only  two  categories  of  errors:  major  and  minor.  It  then 
would  be  necessary  to  determine  the  probability  of  failure  associated  with  the 
defined  major  category  of  error.  Such  a  definition  is  consistent  with  the  mea¬ 
ger  quantitative  data  that  is  available  on  human  errors. 

It  is  important  to  note  that  the  shape  of  the  fragility  curve  can  be 
changed  by  engineering.  This  is  design  for  "robustness"  or  defect  (error)  tol¬ 
erance.  For  the  intensities  (magnitude)  and  types  of  errors  that  normally  can 
be  expected  (for  a  given  QA  /  QC  system),  the  structure  should  be  configured 
and  designed  so  that  it  does  not  "fail"  (or  have  unacceptable  quality)  when 
these  types  and  magnitude  of  errors  occur  [Bea,  1992;  Das,  Garside,  1991]. 

The  likelihood  of  insufficient  quality  developing  in  the  other  three  parts 
of  the  design  process  (configuration,  structure  analyses,  and  design  documen¬ 
tation)  would  be  developed  in  a  similar  manner. 


Contributing  Influences  to  Human  Errors 

The  categories  of  human  errors  are  influenced  by  four  types  of  contribut¬ 
ing  influences  (error  inducing  or  causing  factors):  organizations  (Oe),  hard¬ 
ware  (He),  procedures  (Pe),  and  environment  (Ee). 

The  probability  of  a  given  type  (e.g.  communications)  and  magnitude 
(e.g.  major)  of  a  human  error  (Oj)  made  by  the  individual  or  individuals  com- 
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prising  a  given  part  of  the  design  "team"  in  the  loading  analysis  during  the 
design  phase  (Yi,2)  could  be  evaluated  as  follows  (Figure  9.12): 

P[Oj  I  Yi.2]  =  P[Oj  I  Oej]  P  [Oej]  u  P[Oj  I  Hej]  P  [Hej] 

u  P[Oj  I  Pej]  P  [Pej]  u  P[Oj  I  Eej]  P  [Eej]  (9.7) 

where  P[Oej],  P[Hej],  P[Pej],  and  P[Eej],  refer  to  a  human  error  of  type  j  caused 
by  organization  factors,  hardware  factors,  procedure  factors,  and  environment 
(internal)  factors,  respectively. 


Causes  of  Contributing  Influences 

The  probability  of  the 
organization  influence  on  the  human 
error  of  a  given  type  (Oj)  occurring 
during  the  design  phase  in  the 
loading  analysis  (Yi.2)  could  be 
expressed  as  follows: 


P[OejlYi.2l  =  U  P(Oejn) 

(n  =  1,  ...,8)  (9.8) 

The  subscripts  n  =  1  through  n  =  8 
refer  to  the  organization  error 
classification  system  developed  earlier 
in  this  project.  The  eight  classes  of 
organization  errors  are  identified  in 
Figure  9.13.  The  eight  mutually 
exclusive  and  exhaustive  categories 
include  communications,  planning 
and  training,  culture,  organization, 
violations,  monitoring  and 
controlling,  ignorance,  and  mistakes. 

The  other  terms  (P[He],  P[Pe], 
and  P[Ee]  would  be  developed  in  the 
same  manner  as  P[Oe], 


Figure  9.12  -  Human  error  ETA 


Figure  9.13  -  Organization  error  ETA 
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System  Diagram  -  Rare  Event  Approximation 

The  system  diagram  shown  in  Figure  9.10  has  been  based  on  the  rare 
event  approximation  of  the  foregoing  analytical  expressions.  Consistent  with 
these  developments,  all  of  the  direct  and  contributing  EDA  factors  have  been 
shown  as  elements  in  series.  In  this  case,  the  following  expressions  can  be 
developed. 

Likelihood  of  insufficient  quality: 

PfQ  «  X  Pfi  (i  =  1  to  4,  four  attributes  of  quality)  (9.9) 

Likelihood  of  insufficient  quality  in  a  given  attribute  due  to  "natural 
causes"  (E)  and  due  to  "human  errors"  (O): 

Pfi  =  {PfiE  I  0}  P[0]  +  {PfiE  I  0}  P[0]  +  PfiO  P[0]  (9.10) 

Likelihood  of  human  error  causing  insufficient  quality  in  a  phase  of  the 
life-cycle: 

PfiO  *  X  Pf  [Yi  I  OYil  P  [OYil 

(i  =  1  to  3,  three  life-cycle  phases)  (9.11) 

Likelihood  of  human  error  causing  insufficient  quality  in  one  of  four 
parts  of  the  design  phase  (1.1  =  configuration,  1.2  =  loading  analyses,  1.3  = 
structure  analyses,  and  1.4  =  design  documentation: 

Pfi[Yi  I  OYil  =  PfitYi.i  I  OYl.ll  P  [OYl.ll  +  Pfi[Yi.2 1 0Y1.2l  P  [OY1.21 

+  Pfi[Yi.3  I  OY1.31  P  [OY1.31  +  Pfi[Yi.4 1  OY1.41  P  [OY1.41 

(9.12) 

Likelihood  of  human  error  causing  insufficient  quality  in  the  loading 
analyses  part  of  the  design  phase  caused  by  the  eight  types  of  human  errors: 

Pfi[Yl.2l  ~  X  (Pfi  I  Oj)  P[Oj  I  Yi.21 

(j  =  1  to  8,  types  of  human  errors)  (9.13) 

Likelihood  of  one  of  the  eight  types  of  human  errors  (Oj)  caused  by  one  of 
the  four  principal  causes  or  influences  acting  during  the  design  loading  anal¬ 
yses: 


P[Oj  I  Yi.2]  =  P[Oj  I  Oej]  P  [Oej]  +  P[Oj  I  Hej]  P  [Hej] 

+  P[Oj  I  Pej]  P  [Pej]  +  P[Oj  I  Eej]  P  [Eej]  (9.14) 

Likelihood  of  a  human  error  due  to  eight  organizational  influences  oc¬ 
curring  during  the  design  phase: 

P[OejlYi.2l  «  £  P(Oejn)  (n  =  1,  ...,8)  (9.15) 
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These  approximate  analytical  expressions  equate  to  a  series  system  that 
determines  the  quality  of  a  ship  structure.  This  is  an  interesting  observation  of 
the  quality  system.  As  additional  elements  are  added  to  a  series  system  com¬ 
prised  of  independent  elements,  its  probability  of  failure  increases  [Mansour, 
et  al.,  1990;  Bea,  1990].  This  indicates  that  the  number  of  primary  EDA  in  all 
parts  of  the  quality  process  should  be  decreased  to  the  minimum  possible  to  de¬ 
crease  the  likelihood  of  the  system  not  developing  the  desirable  level  of  quality. 
This  emphasizes  the  importance  of  elimination  of  unnecessary  complexity  in 
all  parts  of  the  system. 

The  other  interesting  observation  regards  the  effects  of  correlation  be¬ 
tween  the  series  elements.  If  all  of  the  series  elements  are  highly  correlated 
(magnitude  of  one  EDA  closely  related  to  the  magnitude  of  another  EDA,  etc.), 
then  the  probability  of  failure  of  the  system  is  equal  to  the  highest  probability  of 
failure  in  the  system  series  chain  [Bea,  1990;  Orisamolu,  Bea,  1993].  The  relia¬ 
bility  of  a  multi-element  series  system  can  be  improved  by  high  positive  corre¬ 
lation.  High  positive  correlation  in  EDA  could  be  developed  by  human  factors 
such  as  a  consistent  set  of  high  quality  individual  (human),  organization, 
hardware,  and  procedures  factors  that  are  allowed  to  permeate  the  entire  de¬ 
sign  process.  Organization  culture  is  likely  the  most  important  of  the  corre¬ 
lating  processes. 


Detection  &  Correction 

Thus  far  in  this  development,  it  has  been  assumed  that  there  has  been 
no  explicit  QA  /  QC  in  the  process.  Stated  another  way,  the  human  error  rates 
have  presumed  that  there  is  no  unusual  defense  in  depth  provided  to  detect 
and  correct  errors.  In  one  way,  this  is  not  unreasonable.  Most  minor  errors 
are  caught  by  the  individual  or  individuals  involved  in  a  particular  process 
and  corrected.  In  this  development,  we  are  concerned  with  the  major  embed¬ 
ded  errors  that  can  lead  to  significant  degradation  in  quality  that  are  not 
caught  at  the  local  level. 

Consequently,  the  next  step  in  this  development  addresses  human  error 
detection  (  =  D)  and  correction  (repair,  =  C).  This  is  essentially  an  attempt  to 
place  parallel  elements  in  the  quality  system  so  that  failure  of  a  component 
(assembly  of  elements)  requires  the  failure  of  more  than  one  weak  link.  Given 
the  high  degrees  of  correlation  that  could  be  expected  in  such  a  system,  this 
would  indicate  that  QA  /  QC  efforts  should  be  placed  in  those  parts  of  the  sys¬ 
tem  that  are  most  prone  to  error  or  likely  to  compromise  the  intended  quality  of 
the  system. 
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A  simple  ETA  of  this  process 
is  given  in  Figure  9.14  for  a  major 
human  error  occurring  in  phase  X 
of  the  life-cycle  of  the  ship  structure. 

The  term  major  is  used  here  because 
minor  errors  are  generally  detected 
and  corrected  either  by  the 
individual  making  them  or  by  the 
group  responsible  for  the  particular 
activity.  In  this  case,  we  are 
addressing  those  important  errors 
that  get  through  the  normal  QC 
process  that  has  been  defined  by  the 
QA  system. 

Conditional  on  the  occurrence 
of  the  human  error  of  type  (Oj, 

Figure  9.12),  the  probability  that  the 
error  gets  through  the  QA  /  QC 
system  can  be  developed  as  follows. 

The  probability  of  detection  is  P[D]  and  the  probability  of  correction  is  P[C].  The 
compliments  of  these  probabilities  (not  detected  and  not  corrected)  will  be 
indicated  as  P[~D]  =  1  -  P[D],  and  P[~C]  =  1  -  P[C]. 

The  undetected  and  uncorrected  error  event  (Uej)  associated  with  the 
human  error  event  (Oj)  is: 

Ue  =  U  (Oj  n  ~Dj  n  ~Cj)  (j  =  1  to  8)  (9.16) 

The  probability  of  the  undetected  and  corrected  error  of  type  j  event  is: 

P[Ue]  =  X  P[Oj  I  ~Dj  n  ~Cj]  P[~Dj  I  ~Cj]  P  [~Cj]  (j  =  1  to  8)  (9.17) 

Assuming  independent  events,  the  probability  of  the  undetected  and  cor¬ 
rected  error  of  type  j  event  is: 

P[Uej]  =  P[Oj]  {P[Dj]  P[~C]  +  P[~D]}  =  1  -  P[D]  P[C]  (9.18) 

The  probability  of  error  detection  and  the  probability  of  error  correction 
obviously  play  important  roles  in  reducing  the  likelihood  of  human  errors 
compromising  the  system  quality. 

Note  that  in  the  developments  that  preceded  the  introduction  of  QA  /  QC 
considerations,  if  P[Oj]  were  replaced  with  P[Uej],  the  effects  of  QA  /  QC  could 
be  introduced  into  any  of  the  parts  of  the  system. 

The  probability  of  detection  will  be  a  function  of  the  quality  and  intensity 
of  the  QA  /  QC  directed  at  this  function.  Similarly  with  regard  to  the  probabil- 
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detection  and  repair 
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ity  of  acceptable  or  adequate  correction.  In  both  cases,  an  expenditure  of  re¬ 
sources  is  required  to  achieve  the  desired  objectives. 

The  problem  is  to  determine  where  QA  /  QC  efforts  should  be  directed, 
how  they  should  be  directed,  and  how  intensely  they  should  be  developed. 

Given  limited  resources  to  develop  quality  in  a  marine  structure,  this  is  proba¬ 
bly  the  single  best  reason  for  quantitative  analyses;  to  help  show  the  most  effec¬ 
tive  way  to  implement  QA  /  QC  efforts  throughout  the  life-cycle  of  the  ship 
structure. 

Due  to  the  limitations  in  the  scope  of  this  first  SSC  project  on  HOE  in  de¬ 
sign  and  construction  of  ship  structures,  it  was  not  possible  to  conduct  com¬ 
prehensive  and  detailed  analytical  studies  of  ship  structures  and  the  elements, 
components,  and  systems  that  determine  their  quality.  This  should  become 
the  objective  of  future  SSC  sponsored  projects. 

However,  in  the  remaining  parts  of  this  chapter,  examples  will  be  devel¬ 
oped  to  illustrate  how  such  qualitative  and  quantitative  evaluations  could  be 
developed.  In  the  next  chapter,  based  on  experience  with  other  marine  and 
non-marine  structures,  general  guidelines  and  recommendations  will  be 
made  on  how  QA  /  QC  activities  might  best  be  directed  in  the  ship  structure  de¬ 
sign  phase. 


Example  -  Sleipner  B  Assessments 


The  background  of  the  failure  of  the  Sleipner  A  platform  has  been  sum¬ 
marized  in  Chapter  6.  This  $  1  billion  catastrophe  occurred  after  the  highly 
successful  design,  construction,  and  operation  of  some  25  similar  platforms 
over  the  past  25  years.  These  massive  concrete  and  steel  structures  stand  in 
water  depths  of  45  to  350  meters.  A  review  of  the  history  of  these  platforms  has 
been  summarized  recently  by  Moksnes  [1994].  In  his  review,  Moksnes  ob¬ 
served: 


"The  recent  loss  of  the  Sleipner  A  platform  in  1991  was  attributed 
to  shortcomings  in  the  interpretation  of  the  results  from  the  global 
analysis  and  inadequate  design  of  a  section  of  the  cell  walls,  and 
points  to  the  need  for  caution  in  what  tends  to  be  a  highly  auto¬ 
mated  design  process.  There  is  still  a  very  important  role  to  play 
for  the  experienced  design  engineer  and  the  trained  eye!" 

Noyes  [1994]  has  performed  quantitative  evaluations  of  the  design  of  the 
replacement  platform:  Sleipner  B.  Noyes  organized  the  design  process  as 
shown  in  Figure  9.15. 
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Figure  9.15  -  Evaluation  of  the  potential  contributors  to  HOE  in  the  Sleipner  B 
structural  analysis 


Following  an  initial  qualitative  screening  process  and  based  on  the  di¬ 
agnosis  of  the  causes  of  the  failure  of  Sleipner  A,  Noyes  evaluated  one  primary 
contributor  to  lack  of  quality  in  the  replacement  platform:  the  Structural 
Analysis  identified  in  Figure  9.15.  The  portion  of  the  structural  analysis  eval¬ 
uated  was  that  of  the  finite  element  analysis  of  the  star  cell  intersections  that 
had  been  improperly  performed  in  the  Sleipner  A  design. 

In  addition,  Noyes  identified  three  potential  primary  contributors  to  lack 
of  structural  analysis  quality  in  the  Sleipner  B  structure.  These  were:  1) 
Organization  Errors,  2)  Procedure  -  Software  Errors,  and  3)  Individual  Errors. 
Identification  of  the  principal  types  of  these  errors  are  summarized  in  Figure 
9.15.  Based  on  the  error  classifications  that  have  been  developed  previously  in 
this  report,  Figure  9.15  identifies  the  potential  types  of  errors  in  each  of  these 
three  categories. 

Based  on  results  of  interviews  with  experts  in  performing  Finite 
Element  Analyses  (FEA),  Noyes  identified  five  primary  processes  involved  in 
performing  FEA  of  CSD:  1)  defining  geometry  limitations,  2)  choosing  ele¬ 
ments,  3)  choosing  appropriate  element  meshes,  4)  defining  material  proper¬ 
ties,  and  5)  defining  boundary  conditions. 
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Based  on  the  results  from  the  interview  of  FEA  experts  and  the  results 
from  a  coarse  qualitative  screening  analysis,  Noyes  identified  the  choice  of  ap¬ 
propriate  element  mesh  sizes  as  a  key  potential  source  of  error  in  the  struc¬ 
tural  analysis.  Fault  Trees  were  used  to  perform  and  document  the  analyses 
(Figure  9.16).  The  base  rate  error  probabilities  were  based  on  research  per¬ 
formed  and  published  by  Williams  [1988],  These  results  have  been  summa¬ 
rized  in  Chapter  8. 

Three  primary  potential  contributors  to  the  probability  of  an  error  in  the 
mesh  size  (Pe)  were  identified  (Tree  1,  Figure  9.16): 

1)  an  error  resulting  from  inadequate  personnel  selection  and  training 
(Pte), 

2)  an  error  resulting  from  ignorance  on  the  part  of  those  performing  the 
analyses  (Pie),  and 

3)  an  error  resulting  from  mistakes  made  by  those  performing  the  analy¬ 
ses  (Pme). 

The  probability  of  realizing  an  error  in  the  mesh  size  was  taken  as  the 
sum  of  the  three  contributing  probabilities.  The  cross-product  probabilities 
representing  compounding  events  were  neglected. 


Tree  1 


Figure  9.16  -  FTA  of  the  three  primary  contributors  to  an  error  in  determina¬ 
tion  of  the  proper  mesh  size  in  the  structural  analysis 


170 


Chapter  9  Examples:  Qualitative  &  Quantitative  Analyses 

Tree  1  represents  the  final  evaluation  of  the  potential  contributors  to  the 
basic  fault:  an  error  in  the  finite  element  mesh  size.  Subsequent  trees  (Trees  2 
through  4)  were  used  to  define  the  primary  causes  of  the  three  primary  poten¬ 
tial  contributors  of  errors  and  to  determine  the  associated  probabilities. 

Tree  2  (Figure  9.17)  defines  the  organization  and  procedure  related 
causes  of  the  three  major  types  of  errors.  Tree  3  (Figure  9.11)  defines  the  pri¬ 
mary  contributing  and  compounding  organization  causes.  Tree  4  (Figure  9.12) 
defines  the  primary  contributing  and  compounding  procedure  causes.  These 
causes  were  based  on  the  organization  and  procedure  taxonomies  discussed 
previously.  The  evaluation  of  the  major  contributors  was  based  on  the  results 
from  an  initial  qualitative  evaluation  of  these  design  elements. 

For  example,  an  error  due  to  a  mistake  (Tree  1,  Figure  9.16)  could  be  due 
to  either  organization  or  procedures  (Tree  2C,  Figure  9.17).  The  organization 
caused  mistake  could  be  due  to  the  organization  culture  or  due  to  inadequate 
monitoring  and  controlling  (Tree  3C,  Figure  9.18).  These  two  categories  of  or¬ 
ganization  causes  were  identified  in  the  first  phase  quantitative  evaluations  as 
being  the  most  dominant  or  important. 

The  mistake  due  to  procedures  could  be  due  to  excessive  complexity  in 
the  procedures  or  due  to  inadequate  documentation  (Tree  4C,  Figure  9.19). 
Again,  these  two  categories  of  procedure  causes  were  identified  in  the  first 
phase  quantitative  evaluations  as  being  the  most  dominant  or  important. 

Identification  of  the  primary  causes  of  organization  and  procedure  er¬ 
rors  were  based  on  Noyes  study  of  the  Sleipner  A  failure  documentation  and 
her  quantitative  evaluation  of  the  process  used  to  analyze  the  star  cell  intersec¬ 
tion  stresses.  Evaluation  of  the  probabilities  associated  with  these  causes  were 
based  on  Noyes'  subjective  judgment  and  the  performance  shaping  factors  re¬ 
search  published  by  Williams  [1988]  and  summarized  in  Chapter  8. 

Given  these  evaluations  of  the  "prior"  probabilities  (based  on  the 
Sleipner  A  scenario),  Noyes  was  able  to  identify  the  likelihood  of  a  mesh  sizing 
error,  Pe.  The  results  (Tree  1)  indicated  that  this  probability  was  Pe  «  1  E-3 
(during  the  design  phase,  refer  to  Figures  8.3  and  8.4  for  basis).  Fifty  percent 
of  this  probability  was  due  to  an  error  caused  by  personnel  selection  and  train¬ 
ing.  This  was  the  primary  initiating  event  or  root  cause  of  the  Sleipner  A  sink¬ 
ing. 


Noyes  then  evaluated  how  changes  in  the  organization  and  procedures 
could  be  implemented  to  reduce  the  likelihoods  of  an  error  in  mesh  sizing. 
Noyes  used  the  results  of  the  work  published  by  Roberts  [1993, 1994]  to  charac¬ 
terize  organizational  improvements  and  the  work  by  Williams  [1988]  to  charac¬ 
terize  the  quantitative  effects  of  such  improvements  (refer  to  Table  8.2  for  ba¬ 
sis).  Noyes  used  the  work  of  Melchers  [1987],  Stewart  and  Melchers  [1985, 

1986, 1987, 1988, 1989  ],  and  Stewart  [1990]  to  characterize  improvements  in 
procedures  and  the  effects  of  increased  monitoring  and  controlling. 
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Figure  9.17  -  Tree  2  -  determination  of  design  errors  caused  by  organization 
and  procedures 
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Figure  9.18  -  Tree  3  -  determination  of  organization  errors  (culture,  monitoring 
&  controlling)  leading  to  an  error  in  the  mesh  sizing 


Tree  4B 


Figure  9.19  -  Tree  4  -  determination  of  procedure  errors  (complexity,  documen¬ 
tation)  leading  to  an  error  in  the  mesh  sizing 
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Table  9.1  summarizes  the  results  of  Noyes  study  of  the  effects  of  various 
QA  /  QC  measures  (requiring  organization  and  procedure  changes)  on  the 
structural  analysis  error  rate.  The  single  most  effective  measure  was  an  or¬ 
ganization  improvement  in  the  selection  of  designers  (design  organization  re¬ 
quirement  for  additional  design  engineer  experience).  This  measure  reduced 
the  error  rate  by  77  percent. 

The  second  most  effective  measure  was  an  organization  improvement  in 
a  requirement  to  increase  the  scope  of  outside  checking.  This  measure  re¬ 
duced  the  error  rate  by  36  percent.  Reductions  in  time  pressures  and  im¬ 
provements  in  training  had  comparable  effects;  reducing  the  error  rate  by 
about  20  percent.  Improvements  in  documentation  was  the  least  effective 
measure;  reducing  the  error  rate  by  about  10  percent. 


Table  9.1  -  Effects  of  alternative  QA  /  QC  measures  in  reducing  the  likelihood 
of  structural  analysis  errors  in  determining  the  finite  element  mesh  sizes 


Source  of  Error  Impacted 

Net  Change  in  Total  Error  - 

% 

Organization  -  improved  training 
of  designers 

selection  and  training 

-22 

Organization  -  improved  selec¬ 
tion  of  designers 

selection  and  training 
ignorance 

-77 

Procedures  -  improved  docu¬ 
mentation 

procedure  errors  due  to  docu¬ 
mentation 

-13 

Organization  -  reduce  time 
pressures  /  constraints 

mistakes 

-20% 

Organization  -  increase  outside 
checking 

monitoring  &  controlling 
mistakes 

-36  % 

The  next  step  in  such  an  evaluation  would  be  to  perform  cost  -  benefit 
analyses  of  these  alternative  improvements  to  determine  which  measures 
should  be  implemented.  This  would  involve  a  determination  of  the  base  rate  of 
errors  that  could  be  tolerated  (acceptable  probabilities  of  failure).  Such  an 
evaluation  was  not  performed  by  Noyes,  but  was  performed  by  Rettedal, 
Gudmestad,  and  Aarum  for  the  design  and  construction  of  the  Sleipner  B  plat¬ 
form  [1994]. 

The  study  performed  by  Retedal,  Gudmestad,  and  Aarum  [1994]  utilized 
an  approach  very  similar  to  that  used  by  Noyes  [1994].  They  structured  their 
analyses  using  ETA  and  FTA.  These  analyses  and  evaluations  primarily 
evaluated  equipment  and  structure  systems.  The  human  and  organization  el¬ 
ements  were  not  explicitly  evaluated.  They  were  integrated  into  the  back- 
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ground  to  define  equipment,  structure,  and  activity  failure  rates.  They  did  not 
use  any  formal  HOE  structure  or  classification  system. 

Retedal,  Gudmestad,  and  Aarum  [1994]  performed  a  very  comprehen¬ 
sive  evaluation  of  the  key  phases  of  construction  including  towing  to  location 
and  commissioning  the  Gravity  Base  Structure  (GBS).  They  evaluated  the  ef¬ 
fects  of  improvements  in  the  equipment,  structure,  and  human  activity  ele¬ 
ments  of  the  GBS  construction.  They  developed  tolerable  or  acceptable  error 
rates  that  the  improvements  were  intended  to  develop.  There  were  no  explicit 
cost-benefit  evaluations  of  the  alternative  improvements. 

Table  9.2  defines  the  probability  of  failure  that  Retedal,  et  al.  (Statoil)  de¬ 
fined  per  project  dependent  on  the  extent  of  the  project  loss  that  would  be  rep¬ 
resented  by  the  failure.  The  intolerable  risk  level  represented  the  boundary  be¬ 
tween  acceptable  and  unacceptable  probabilities  of  failure.  These  failure  rates 
were  then  defined  on  a  per  operation  basis  (e.  g.  submergence  testing,  deck 
transport,  deck  mating,  hook  up,  tow  out,  installation).  These  probabilities 
also  are  summarized  in  Table  9.2. 

While  these  target  probabilities  did  not  explicitly  evaluate  cost  aspects, 
they  were  based  on  historical  experience  with  these  types  of  systems.  At  the 
time  of  the  initiation  of  the  Sleipner  B,  the  primary  focus  was  on  prevention  of 
the  type  of  errors  that  had  lead  to  the  sinking  of  Sleipner  A.  In  the  light  of  the 
schedule  and  productivity  pressures,  prevention  costs  were  not  a  primary  con¬ 
sideration. 


Table  9.2  -  Probabilities  of  Failure  Per  Project  and  Per  Operation  in 
Construction  of  Sleipner  B  GBS 


Loss  (%) 

Probability  of  Failure 

Per  Project 

Probability  of  Failure 

Per  Operation 

■Emmmzai 

Intolerable 

mm 

intolerable 

rnmnuSSM 

IE-5 

5E-4 

IE-6 

5  E-5 

50 

(major  dam¬ 
age) 

IE-4 

5E-3 

IE-5 

5E-4 

1  0 

(minor  damage 

IE-3 

5E-2 

IE-4 

5E-3 

Table  9.3  summarizes  the  results  of  damage  probabilities  determined  by 
the  analyses  before  and  after  operator  error  risk  reduction  measures.  These 
measures  included  provision  of  construction  weather  instrumentation  and  cri¬ 
teria,  training  of  crane  operations  personnel,  improvements  in  communica¬ 
tions  systems  and  procedures,  training  in  solution  of  special  (critical)  prob¬ 
lems,  simulator  training,  and  detailed  pre-lift  planning. 
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These  comprehensive  measures  addressed  human,  organization,  sys¬ 
tem,  procedure,  and  environmental  aspects  of  the  critical  aspects  associated 
with  construction  of  the  Sleipner  B  GBS.  Note  that  several  of  the  measures  re¬ 
duced  the  likelihoods  of  damage  by  40  %  to  almost  70  %.  The  most  effective 
measures  were  concentrated  in  the  mechanical  installation  operations. 

The  authors  note  that  both  HazOp  (qualitative  evaluations)  and  QRA 
(quantitative  evaluations)  should  be  performed  in  making  such  analyses. 
Much  was  learned  from  each  of  the  approaches  about  how  to  improve  the  sys¬ 
tem  and  where  protective  measures  should  be  placed.  The  quality  of  the  QRA 
was  improved  as  a  result  of  the  HazOp  study. 

These  measures  were  effective  for  the  Sleipner  B  GBS  was  successfully 
constructed  in  a  record  short  time  (one  year)  and  installed  without  incident  in 
the  last  quarter  of  1993. 


Table  9.3  -  Damage  Probabilities  (x  E-6)  Before  /  After  Error  Reduction 

Measures 


Construction 

Phase 


TvDe  of  damaae 


oss  of  stability 


construction  sha 
damage 


installation  s 
damage 


shaft  dome  penetra¬ 
tion 


cell  dome  penetration 


After  Slip  Forming 


system  damage 


Mechanical 

Installation 


8.96/5.46 

(-40%) 


98.0/71.6 
(-27  %) 


24.3/12.8 
(-47  %) 


11.6/7.8 
(-33  %) 


0.59/0.24 

(-60%) 


3.93/1.29 
(-67  %) 


20.3 


8.3/5.59 

(-23%) 


Commissioning 


3.26/1.84 
(-44  %) 


65.2/36.7 

(-44%) 
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Tanker  Sideshell  Longitudinal  Detail  Design  Examples 


Both  of  the  following  examples  focus  on 
critical  structural  details  (CSD)  in  commercial 
tankers.  A  CSD  is  a  section  of  the  structure 
which  experiences  very  high  stress 
concentrations  in  comparison  with  the  rest  of 
the  structure,  and  therefore  requires  special 
attention  in  the  design  and  construction  phases, 
and  should  receive  close  scrutiny  in  inspections 
and  maintenance. 

The  example  CSD  that  will  be  the  subject 
of  the  two  examples,  the  sideshell  longitudinal  to 
webframe  connection,  is  illustrated  in  Figure 
9.20.  The  first  example  will  address  the  design 
of  this  class  of  CSD  to  assure  sufficient  fatigue 
durability.  The  second  example  will  address  the 
analysis  of  this  CSD  using  current  Finite  Figure  9.20  -  Example  CSD 

Element  Analysis  (FEA)  methods.  sideshell  longitudinal  to 

webframe  connection 

The  CSD  examples  will  be  those  from  a 
class  of  six  single-hull  ships  of  165,000  DWT 

(Figure  9.21).  The  mid-body  transverse  framing  of  this  class  of  ships  is  shown 
in  Figure  9.22. 

These  tankers  are  typical  of  the  maritime  industry  tanker  trade  in  gen¬ 
eral.  They  were  built  in  the  1970's  by  a  U.  S.  shipyard  after  being  designed  by 
an  experienced  U.  S.  naval  architecture  firm. 


The  ships  were  operated  on  a  trade  route  that  had  very  severe  weather 
for  most  of  the  year.  In  a  period  of  15  years,  these  ships  experienced  approxi¬ 
mately  3,000  significant  fatigue  fractures  in  CSD  (Figure  9.23). 


137  «a  M  UK  43  34  3»  • 

Profile 


Upper  Peck 


Figure  9.21  -  Plan  and  profile  of  example  165,000  DWT  tanker 
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Figure  9.22  -  Transverse  midships 
frame  of  example  tankers 


Bow  1  2  3  4  5  stern 

*  TANK  NUMBER  r 


Figure  9.23  -  Number  of  fractures  in 
class  of  165,000  tankers  (4  ships  in  10 
years) 


This  propensity  for  fatigue  problems  resulted  in  regulatory  repercus¬ 
sions.  The  ships  were  required  by  the  U.  S.  Coast  Guard  to  implement  a 
Critical  Area  Inspection  Plan  (CAIP),  which  specifies  the  methods  used  by  the 
vessel  operators  for  documentation  and  tracking  of  structural  failures.  It 
must  also  contain  the  vessel  fracture  history,  corrosion  control  systems,  and 
previous  repairs.  The  ships  were  required  to  undergo  inspections  once  every 
six  months,  which  meant  taking  the  ships  out  of  service,  at  great  cost  to  the 
operator  and  owner. 

Example  1  will  address  the  fatigue  design  aspects  of  the  CSD  in  the  class 
of  example  ships.  Example  will  address  the  Finite  Element  Analyses  (FEA)  of 
the  same  CSD. 


Example  1  -  Qualitative  Analysis 


The  question  posed  in  the  analysis  of  this  example  is  :  What  is  the  cause 
of  the  marked  susceptibility  to  fatigue  problems  in  the  CSD  of  the  example 
class  of  ships'? 

Study  of  the  background  and  history  of  these  ships  indicates  that  there 
are  many  answers  to  this  question  [Salancy,  1994b].  The  causes  include 
actions  (or  inactions)  by  the  ship  builder,  ship  operator,  regulatory  agencies, 
classification  society  and  ship  owner,  as  well  as  the  relationships  between 
these  groups. 

This  analysis  attempts  to  address  all  of  the  major  sources  of  fatigue  sus¬ 
ceptibility  in  order  of  occurrence,  beginning  with  the  existing  climate  in  ship 
design  and  construction  and  carrying  through  operation  of  the  ships. 
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Individual  problems  of  the  ships  are  addressed  and  a  quality  profile  is  carried 
out.  The  system  is  analyzed  by  event  trees  as  it  was  configured  and  as  it  could 
have  been  re-configured,  attaching  quantitative  values  to  the  errors  which  oc¬ 
curred. 


Fatigue  Analysis 

The  most  obvious  source  of  fatigue  susceptibility  was  the  lack  of  fatigue 
analysis  executed  during  the  design  of  the  ships.  Was  fatigue  a  known  risk  in 
engineered  structures  at  this  time?  The  answer  is  clearly  yes  [Nibbering,  et 
al.,  1973]. 

Fatigue  has  been  the  cause  of  some  of  the  largest  failures  in  the  U.S.  in 
recent  history,  including  failures  in  the  maritime  industry.  It  has  been  es¬ 
timated  that  from  50  to  90  percent  of  all  structural  failures  are  the  result  of 
"slow  crack  growth",  or  fatigue  degradation  [Petroski,  1985].  As  discussed 
later  in  this  section,  fatigue  analysis  was  well-known  at  the  time  of  conception 
of  these  ships.  Therefore,  a  major  error  in  the  design  of  these  ships  was  the 
lack  of  fatigue  analysis. 

The  issue  of  fatigue  was  not  examined  during  the  design  process  at  all. 
No  lab  testing  was  carried  out  for  fatigue.  The  reason  for  this  exclusion  was 
that  fatigue  analysis  was  not  required  by  the  regulatory  and  classification  bod¬ 
ies.  The  climate  in  shipbuilding  at  the  time  was  to  build  to  requirements  only. 

The  lack  of  fatigue  analysis  requirements  was  due  to  the  relationship  be¬ 
tween  the  ship  owners  /  builders  /  operators  and  the  regulatory  and  classifica¬ 
tion  societies.  The  owner  /  builder  /  operator  believed  that  by  building  the  ships 
to  existing  rules,  sufficient  safety  and  durability  was  ensured.  However,  the 
regulatory  and  classification  societies  considered  only  safety  to  be  their  respon¬ 
sibility,  not  durability,  and  therefore  did  not  include  fatigue  in  their  guidelines. 
This  situation  had  existed  because  durability  had  not  been  a  problem  histori¬ 
cally,  because  ships  built  with  adequate  safety  had  also  coincidentally  had  ade¬ 
quate  durability  as  a  result  of  the  safety  requirements. 

In  the  case  of  these  ships,  that  was  not  to  be  true,  primarily  because  a 
new  material  (HTS,  or  high  tensile  steel )  was  being  used  in  the  structure,  for 
which  this  circumstance  did  not  apply.  As  this  material  was  different  from 
that  which  the  regulatory  societies  had  based  their  stance  on  durability  on, 
durability  was  not  ensured  with  the  new  material. 

This  error  can  be  classified  as  one  of  organizational  error.  It  can  fur¬ 
ther  be  defined  as  an  error  in  communications  and  culture.  Communications 
was  a  problem  because  the  rule-making  bodies  did  not  make  clear  that  durabil¬ 
ity  was  not  their  responsibility  when  non-standard  materials  were  used  in  a 
design.  Culture  was  a  problem  because  both  the  regulatory  agencies  and  the 
classification  society  had  been  reducing  requirements  to  appease  ship  builders 
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and  attract  clients,  as  well  as  to  increase  the  economy  of  designs  by  lowering 
safety  factors  which  may  have  seemed  excessive  in  light  of  their  success. 

In  the  regulatory  agencies  rule  developers  had  changed  rules  to  go 
along  with  the  interests  of  ship  owners  to  build  cheaper  ships  (Figure  9.24). 
The  classification  societies  also  reduced  requirements.  This  was  to  ensure 
that  they  could  compete  with  other  classification  societies  for  business  —  if  one 
society  required  something  costly  that  another  did  not,  it  would  most  likely  lose 
business.  Another  culture  problem  was  the  economic  pressure  being  applied 
in  ship  construction.  HTS  was  relatively  untried  in  marine  applications,  but 
economic  pressures  to  increase  payload  per  deadweight  ton  forced  its  use. 

Finally,  the  ships  were  to  be 
operated  on  a  trade  route  with  severe 
wave  loadings,  which  increased 
susceptibility  to  fatigue  problems. 

This  fact  was  not  considered  during 
the  design  phase.  This  error  is 
considered  to  be  one  of  culture.  It  is 
a  sub- set  of  the  larger  fatigue 
analysis  problem,  and  therefore  is 
not  treated  separately.  It  was  known 
that  the  planned  route  for  the  ships 
was  one  with  severe  environmental 
fatigue  impacts,  but  the  designers 
failed  to  take  this  fact  into  account, 
assuming  that  if  the  design  passed 
the  regulatory  requirements,  fatigue 
would  not  be  a  problem. 

This  error  should  not  be 
considered  one  of  ignorance. 

Fatigue  was  a  well-known  risk  in  ship  design  at  the  time  these  ships  were 
conceived.  The  1967  edition  of  Principles  of  Naval  Architecture  [Comstock, 
1967]  contains  a  section  on  "Fatigue  in  Ship  Structures",  which  discusses  the 
use  of  HTS  and  describes  the  potential  problems  in  "details  subject  to  repeated 
reversal  of  high  stress"  (such  as  CSD).  The  section  even  includes  the 
admonition: 

"The  fatigue  limit  of  various  structural  steels  is  approximately 
proportional  to  the  ultimate  tensile  strength  of  the  material  and 
not  to  the  yield  point.  Therefore,  fatigue  may  become  an  impor¬ 
tant  consideration  as  higher  yield  strength  steels  are  used. " 

This  advice  would  have  been  within  easy  reach  of  most  naval  architects  at  the 
time. 

While  an  individual  may  have  suspected  possible  fatigue  problems,  it 
was  an  organizational  decision  to  design  to  regulatory  guidelines  and  not  to 


Figure  9.24  -  Reduction  in  required 
minimum  ship  structure  weight 
(100,000  DWT  tanker)  as  function  of  time 
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carry  out  fatigue  testing  on  HTS.  Therefore,  this  error  remains  an  organiza¬ 
tional  error.  It  should  also  be  pointed  out  that  fatigue  analysis  of  large  ships  is 
a  very  complex  problem.  Fatigue  analysis  of  offshore  oil  platforms  and  steel 
bridges  has  been  carried  out  for  many  years,  but  ship  analysis  tends  to  be  more 
difficult,  for  several  reasons  :  the  geometry  of  CSD  are  very  complex,  there  are 
many  of  them,  and  the  structure  system  and  loadings  are  very  complex. 
However,  these  same  problems  exist  for  airframes  and  they  have  been  success¬ 
fully  conquered. 

It  is  also  interesting  to  note  the  historical  relationship  between  required 
safety  factors  and  major  failures.  Petroski  [1985]  points  out  that  periods  of  pro¬ 
longed  success  tend  to  inevitably  invite  failures,  as  prolonged  success  leads  to  a 
lowering  of  safety  factors.  This  is  because  prolonged  success  seems  to  imply 
over-design  to  most  designers,  owners,  and  operators.  These  lowered  safety 
factors  eventually  lead  to  failures. 

In  this  case,  the  safety  factors  had  been  successful  for  fatigue,  even  if 
only  because  loading  safety  factors  coincidentally  insured  fatigue  success, 
which  led  to  this  type  of  failure  when  loading  safety  factors  were  (reasonably) 
lowered.  This  example  also  illustrates  another  point  of  Petroski's  :  apparently 
correct  answers  may  be  reached  for  the  wrong  reasons.  Just  because  the  ships 
in  the  recent  past  had  not  experienced  fatigue  problems  by  following  loading 
safety  factors  did  not  ensure  that  future  designs  would  also  escape  fatigue 
problems  without  undergoing  fatigue  analysis.  An  incorrect  understanding  of 
the  system,  which  incidentally  gives  correct  answers,  can  easily  lead  to  fail¬ 
ures. 


Finally,  Petroski  warns  against  the  potential  dangers  in  designs  with  a 
high  degree  of  newness,  which  seems  relevant  to  the  use  of  HTS  in  these  de¬ 
signs. 


"What  appears  to  work  so  well  on  paper  may  do  so  only  because 
the  designer  has  not  imagined  that  the  structure  will  be  subjected 
to  unanticipated  traumas  or  because  he  has  overlooked  a  detail 
that  is  indeed  the  structure's  weakest  link." 

This  would  appear  to  be  the  case  in  this  tanker  design,  where  the  fatigue 
properties  of  the  structure  were  its  weakest  link. 

In  a  recent  article  titled  "Victory's  Pipeline"  Hannan  [1994]  cited  three 
categories  of  problems  that  resulted  in  the  structural  failures  that  occurred  in 
521  T2  tankers  built  during  World  War  II:  design,  workmanship,  and  mate¬ 
rial.  Hannan  observed: 

"abrupt  changes  in  section,  or  elements  added  to  the  ship  as  an  af¬ 
terthought,  for  example,  often  became  troublemakers,  initiating 
cracks  and  raising  local  stresses." 
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"Imperfect  welds  were  the  point  of  origin  for  many  failures.  The 
imperfections  originated  as  often  the  manner  of  preparing  the  joint 
for  welding  as  in  the  quality  of  the  metal  deposited." 

"The  energy-absorbing  capacity  of  the  ordinary  ship  steel  used  was 
measured  by  impact  tests  and  found  to  have  a  generally  low  value 
within  the  range  of  temperature  in  which  the  vessels  operated. 

This  led  to  brittleness.  It  was  corrected  by  up-grading  the  steel 
specifications. " 

It  would  appear  that  many  of  the  same  problems  encountered  in  the  T2 
tankers  were  repeated  in  the  example  class  of  ship  structures. 

CSD  Configuration 

The  configuration  of  the  ships  made  them  fatigue-prone.  Ship  scant¬ 
lings  were  reduced  from  historically  average  sizes  and  high  tensile  steel  (HTS) 
was  used.  This  was  done  to  lighten  the  ship,  as  high  strength  steel  allowed  for 
a  lighter  ship  than  normal  steel,  increasing  the  amount  of  cargo  per  ton  of 
displacement.  However,  the  fatigue  properties  of  HTS  are  not  proportionally 
higher  than  that  of  mild  steel,  as  discussed  in  the  previous  section.  Therefore, 
the  design  of  the  CSD  made  the  ships  fatigue-prone.  The  CSD  design  did  not 
adequately  account  for  stress  concentrations,  which  exacerbated  this  fatigue 
problem. 

This  can  be  classified  as  an  individual  human  error.  The  design  of  the 
details  was  carried  out  by  the  design  team,  a  relatively  small  group.  This  er¬ 
ror  can  be  further  classified  as  one  of  selection  and  training.  The  error  is  con¬ 
sidered  of  this  type  because  stress  concentrations  should  have  been  predictable, 
and  the  problem  should  have  been  detectable  by  a  ship  designer. 


Construction  Climate 

The  climate  of  ship  construction  at  the  time  was  one  of  low-bid  to  win 
contracts.  This  attitude  resulted  in  attempts  by  the  designer  and  builder  to 
minimize  costs  at  every  opportunity.  This  led  to  cost-cutting  in  design  as  well 
as  construction.  This  is  an  organizational  problem,  and  is  classified  specifi¬ 
cally  as  organizational  error  in  culture.  The  existing  culture  did  not  promote 
or  reward  work  of  high  quality,  but  work  of  low  cost. 

The  state  of  the  shipyards  also  lead  to  errors  in  the  design  and  construc¬ 
tion  of  the  ships.  Shipyards  bid  on  the  “minimum  initial  cost”  ship  to  win  con¬ 
tracts.  This  emphasis  on  initial  cost  drew  attention  away  from  life-cycle  think¬ 
ing,  which  lead  to  overlooking  fatigue,  corrosion  and  maintenance  concerns. 

The  tankers  had  to  be  built  in  the  U.  S.  because  of  the  Jones  Act,  a  piece 
of  legislation  which  went  into  effect  in  1921  and  states  that  ships  used  on  routes 
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between  domestic  ports  must  be  built  in  the  U.  S.  Therefore,  the  owners  were 
forced  to  have  the  ship  construction  done  by  an  industry  that  was  not  "up  to 
par",  as  U.  S.  shipyards  were  clearly  inferior  to  foreign  yards  in  terms  of  pro¬ 
ductivity,  quality,  and  technology.  This  can  be  proven  by  one  single  statistic  : 
3760  new  commercial  ship  orders  were  placed  between  1988  and  1992,  with  only 
5  going  to  U.  S.  yards  [Crawley,  1993].  The  Jones  Act  ensured  that  the  U.  S. 
shipyards  would  not  have  to  compete  against  foreign  shipyards  for  this  type  of 
ship.  This  act  removed  at  least  some  of  their  incentive  for  improvement. 

U.  S.  shipyards  were  behind  the  times  in  terms  of  organization,  and  this 
may  have  had  the  greatest  effect  on  their  quality  problems.  Foreign  yards  were 
employing  techniques  such  as  modular  construction,  process  lanes  and  zone 
outfitting.  These  methods  allowed  for  simplified  critical  paths,  greater  quality 
control,  and  superior  monitoring,  and  are  described  more  fully  in 
"Reconfiguration  of  System".  In  one  study  [Weiers,  1984]  it  was  found  that  a 
Japanese  yard,  producing  the  same  ship  design  as  a  US  shipyard,  required 
only  27%  of  the  labor  hours,  and  only  65%  of  the  material  cost. 

The  errors  due  to  the  climate  of  U.  S.  ship  construction  are  classified  as 
organizational  errors.  Specifically,  they  are  errors  of  culture,  planning  and 
preparation,  structure  and  organization,  and  monitoring  and  controlling. 


Construction 

This  section  focuses  specifically  on  the  execution  of  construction,  as  op¬ 
posed  to  the  overall  planning  and  preparation  of  construction.  Construction  of 
high  quality,  robust  ships  may  have  resulted  in  ships  resilient  to  errors  com¬ 
mitted  in  the  design  phase,  as  well  as  in  operation.  However,  low  quality  con¬ 
struction  appears  to  have  resulted  in  error-intolerant  ships. 

The  construction  quality  of  the  ships  was  generally  poor  [Salancy, 

1994a].  Misalignments,  poor  fit-up,  incomplete  and  poor  quality  welding,  hand 
flame-cut  edges,  and  poorly  applied,  low  durability  coatings  were  found.  Poor 
edge  preparation  of  CSD  was  also  common.  Commissioning  inspections 
performed  by  the  shipyard,  the  regulatory  agency,  the  classification  society, 
and  lastly,  the  owner  all  disclosed  incompletely  welded  CSD.  Each  of  these 
inspections  disclosed  different  numbers  and  locations  of  incompletely  welded 
details.  Existing  QA  /  QC  measures  failed  to  detect  and  correct  the  wide 
variety  of  problems  that  arose  during  construction. 

The  errors  which  occurred  in  construction  are  considered  to  be  individ¬ 
ual  human  errors.  They  are  due  to  ignorance,  selection  and  training,  slips, 
and  planning  and  preparation.  Most  of  these  errors  can  be  attributed  to  the 
state  of  U.  S.  shipyards  at  the  time. 
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Operation,  Maintenance,  Repair 

Although  this  example  focuses  on  HOE  during  design  and  construction, 
the  operation  of  these  ships  shows  how  operation  can  act  to  exacerbate  errors 
begun  in  the  design  and  construction  phases.  This  seems  to  further  support 
Perrow's  claim  that  the  maritime  industry  is  "error-intolerant"  as  well  as 
Petroski's  assertion  that  "all  errors  are  design-initiated".  The  ships  in  ques¬ 
tion  were  operated  without  regard  to  damaging  conditions,  typically  operating 
at  full  speed  in  severe  seas.  This  further  exacerbated  the  fatigue  susceptibility 
of  the  ships,  by  subjecting  them  to  more  frequent,  higher  stress  cyclic  loadings. 
This  scenario  probably  could  have  been  foreseen  by  the  designers. 

Maintenance  of  the  ships  was  reduced  below  that  historically  typical  in 
order  to  lower  operating  costs.  Corrosion  (general,  pitted,  and  grooving)  in  bal¬ 
last  tanks  reduced  fatigue  life  of  many  structural  details.  This  corrosion  could 
have  been  stopped  if  maintenance  had  been  adequate. 

Finally,  the  quality  of  the  repair  work  done  on  the  CSD  was  poor. 

Repairs  were  not  engineered.  Repairs  were  frequently  expedient  or  neglected 
to  get  the  ships  back  in  service. 

All  of  these  errors  can  be  considered  organizational  and  cultural, 
stemming  from  economic  pressures  to  meet  schedules,  lower  maintenance 
costs,  and  save  on  repair  expenses.  These  errors  are  not  examined  in  detail. 
However,  it  should  be  noted  that  they  served  to  exacerbate  the  existing  prob¬ 
lems,  rather  than  create  new  ones.  This  is  further  evidence  that  HOE  preven¬ 
tion  in  the  early  stages  of  design  and  construction  is  more  effective  and  effi¬ 
cient  than  management  in  later  stages. 


Quality  Profile 

This  section  describes  a  quality  profile  carried  out  on  the  example  ships. 
This  profile  is  used  to  determine  the  general  quality  to  be  expected  of  the  ships, 
as  well  as  to  highlight  the  areas  which  are  expected  to  have  the  greatest  im¬ 
pact  on  quality.  The  quality  scores  are  illustrated  in  Figure  9.25. 

The  ships  are  given  low  marks  for  materials,  as  HTS  was  relatively  new 
to  ship  construction  and  this  shipyard.  Construction  quality  was  poor,  as 
mentioned  earlier,  so  scores  are  low  for  construction  -  procedures  and  sys¬ 
tems.  The  structure  was  not  analyzed  for  fatigue,  so  both  the  structure  and  the 
design  -  procedures  and  systems  are  given  low  scores.  Personnel  and  man¬ 
agement  were  typical  of  a  U.  S.  shipyard,  so  construction  -  personnel  and 
management  and  design  -  personnel  and  management  are  given  slightly  be- 
low-average  scores.  Available  technology  (compared  to  foreign  yards)  was  not 
employed,  so  the  technology  score  is  low.  Finally,  financial  resources,  person¬ 
nel  resources,  time  resources  and  quality  incentives  are  all  given  low  scores 
due  to  the  climate  at  US  shipyards  at  the  time  of  construction. 
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Observations  -  Qualitative  Analysis 

The  figure  shows  that  in  all  of  the  categories,  the  ship  structure  quality  factors 
were  judged  to  be  below  "average."  The  ship  structures  were  obviously  prone 
to  low  quality:  excessively  low  durability.  The  material  (HTS)  is  the  area  of 
greatest  concern.  However,  design,  construction,  and  organization  related  is¬ 
sues  lead  to  low  quality  scores.  The  provision  of  "below  average"  technology, 
time,  personnel,  and  financial  resources  is  a  critical  issue  that  is  reflected  in 
the  low  quality  incentives.  It  is  these  key  issues  that  will  become  the  focus  of 
the  second  part  of  this  example;  the  quantitative  analyses. 
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Example  1  -  Quantitative  Analysis 


The  qualitative  analysis  and  quality  profile  highlighted  four  factors  in 
design  and  construction  which  were  major  contributors  to  HOE.  These  four 
factors,  and  their  specific  type  of  HOE,  are  listed  in  Table  9.4.  Corrosion  pro¬ 
tection  was  not  considered  a  major  factor,  although  it  is  a  case  of  HOE.  It  is 
very  similar  to  the  CSD  design,  but  its  consequences  were  somewhat  less  im¬ 
mediate. 

Table  9.4-  Major  factors  and  causes  resulting  in  low  durability  CSD 


Factor  I  -  FATIGUE  DESIGN  ANALYSIS 

Organizational  Error,  Communications 
Organizational  Error,  Culture 

Factor  II  -  CSD  CONFIGURATION 

Human  Error,  Selection  and  Training 

Factor  III  -  CLIMATE  OF  SHIP  CONSTRUCTION 

Organizational  Error,  Culture 
Organizational  Error,  Planning  and  Preparation 
Organizational  Error,  Structure  and  Organization 
Organizational  Error,  Monitoring  and  Control 

Factor  IV  -  SHIP  CONSTRUCTION 

Human  Error,  Ignorance 
Human  Error,  Selection  and  Training 
Human  Error,  Slips 

Human  Error,  Planning  and  Preparation 


Analysis  -  Original  System 

The  example  is  first  analyzed  for  the  original  conditions.  Each  of  the 
four  factors  is  analyzed  by  an  event  tree.  This  required  establishing  baseline 
error  rates  for  each  factor.  The  baseline  error  rate  for  Factor  I  (error  in  the  fa¬ 
tigue  analysis)  is  10'2  [Williams,  1988].  This  rate  has  been  selected  because  the 
error  occurred  in  the  omission  of  proper  communication  of  responsibility. 

Factor  II  (error  in  CSD  design)  has  an  error  rate  of  10'3,  as  the  design  of 
CSD  for  fatigue  was  not  well  developed  at  the  time.  Factor  III  has  an  error 
rate  of  10‘3  also,  as  the  state  of  US  shipbuilding  was  the  result  of  a  confused  set 
of  relationships  and  dependencies,  where  errors  could  occur  without  much 
chance  of  being  noticed.  Factor  IV  has  an  error  rate  of  10‘3,  as  the  construc¬ 
tion  process  was  slightly  more  complex  than  usual  (HTS),  and  there  were  time 
and  economic  pressures. 
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The  probabilities  of  the  situations  to  induce  errors  being  present  are  di¬ 
vided  equally  in  this  analysis.  In  the  analysis  of  the  re-configured  system, 
these  values  may  be  reduced,  as  indicated  by  the  "Multipliers  for  Performance 
Shaping  Factors"  [Rettedal,  et  al,  1994]  and  "Relative  Strengths  of  Error- 
Producing  Conditions"  [Williams,  1988].  A  large  database  of  HOE  would  make 
it  possible  to  predict  the  probabilities  of  these  situations  with  greater  accuracy. 
However,  the  main  thrust  of  this  report  is  to  identify  QA  /  QC  efforts  which  will 
reduce  these  probabilities,  so  the  actual  probabilities  are  not  as  important  in 
this  report  as  the  factor  by  which  they  are  reduced. 

The  four  factors  are  examined  by  event  trees  in  the  following  figures. 

The  trees  begin  with  the  baseline  error  rate  and  then  divide  evenly  for  each 
HOE  situation. 
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Figure  9.26  -  Event  Tree  for  Factor  I 


Figure  9.26  illustrates  how  the  analysis  will  be  carried  out.  A  baseline 
error  rate  is  assumed  for  the  error  in  fatigue  analysis.  The  situations  which 
may  exacerbate  this  error  are  added  to  the  tree,  and  the  probability  of  each  sit¬ 
uation  occurring  is  given  as  50  %.  The  total  probability  of  an  error  occurring 
due  to  one  of  the  given  causes  is  found  at  the  end  product  of  each  branch  of  the 
tree. 
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Figure  9.27  -  Event  Tree  for  Factor  II 
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Figure  9.28  -  Event  Tree  for  Factor  III 
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Figure  9.29  -  Event  Tree  for  Factor  IV 


Evaluation  of  Improved  Design  Alternatives 

By  the  use  of  QA  /  QC  measures  the  probability  of  occurrence  of  situa¬ 
tions  inducing  HOE  can  be  reduced.  These  measures  are  described  for  each 
factor  in  this  section,  and  then  quantitatively  evaluated  in  the  following  sec¬ 
tion. 

Factor  I  can  be  ameliorated  by  several  organization-wide  shifts  in  em¬ 
phasis.  Establishing  clear  lines  of  communication  and  responsibility  between 
the  various  agencies  at  work  in  shipbuilding  would  greatly  improve  the  prob¬ 
lem  and  reduce  the  occurrence  of  conflicts  of  interest.  An  example  of  how  re¬ 
sponsibility  can  be  defined  is  given  below  for  the  four  agencies  involved  in  ship 
design,  construction,  and  operation  :  regulatory  bodies,  classification  and  in¬ 
spection  groups,  designers  and  builders,  and  owners  and  operators  [Bea, 
1994a]: 
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•  Regulatory  :  Definition  and  verification  of  compliance  with  goals 
and  policies  of  quality. 

•  Classification  and  Inspection  :  Development  of  classification  rules 
that  will  guide  and  verify  design,  construction,  and  operation  of 
durable  and  reliable  structures  that  meet  regulatory  and  owner  re¬ 
quirements. 

•  Design  and  Construction  :  Designing  and  producing  structures 
with  appropriate  quality. 

•  Owners  and  Operators  :  Design  and  maintenance  of  high  quality 
structures  and  the  economic  operation  of  structures. 

However,  this  would  be  difficult  to  implement  in  the  short-run. 

Focusing  on  the  life-cycle  costs  of  the  ship  could  be  a  better  means  of  improve¬ 
ment  [Bea,  1994b].  When  the  economics  are  examined  for  the  life-cycle,  the  ad¬ 
vantages  of  initially  robust  design  versus  design  for  light  weight  and  low  ini¬ 
tial  cost  should  be  obvious.  The  benefit  of  regular  maintenance  versus  unex¬ 
pected  repairs  will  also  be  made  clear.  Focusing  on  resource  allocation  and 
accountability  will  also  be  beneficial. 

Factor  II  can  be  improved  by  focusing  on  fundamentals  and  identifica¬ 
tion  of  failure  modes.  Ellingwood  [1987]  describes  this  type  of  error  prevention 
measure  : 

"Technical  measures  include  independent  reviews  of  fundamen¬ 
tal  design  concepts  and  assumptions,  which  have  been  identified 
as  the  root  of  many  failures.  Such  reviews  should  be  performed 
on  all  major  projects.  Even  simple  equilibrium  and  stability 
checks  frequently  reveal  fundamental  errors  in  design  concepts 
and  assumptions.” 

Employees  should  be  selected  by  their  command  of  basic  concepts  and 
training  should  be  carried  out  to  help  retain  the  fundamentals.  Also,  the 
recognition  of  "hazard  scenarios"  or  failure  modes  should  be  emphasized.  As 
Petroski  pointed  out,  a  designer  can  only  design  against  failure  modes  which 
he  or  she  recognizes.  Other  failure  modes  may  be  covered  incidentally,  but 
this  can  lead  to  dangerous  situations.  QA  /  QC  measures  towards  improved 
designs  would  include  licensing,  verification  and  testing  procedures,  incen¬ 
tives,  accountability,  and  job  design. 

Factor  III  presents  a  very  complicated  problem.  The  state  of  U.  S.  ship¬ 
yards  and  the  climate  of  construction  in  the  U.  S.  is  a  product  of  many  agen¬ 
cies.  However,  it  is  clear  that  U.  S.  shipyards  have  not  kept  up  with  modem 
advances  in  ship  construction.  Although  some  of  the  lagging  can  be  attributed 
to  lack  of  series  ship  orders  and  cost  of  equipment,  much  of  the  modernization 
in  foreign  shipyards  has  been  in  the  form  of  organization  [Weiers,  1984].  A  ba- 
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sic  reorganization  of  shipyard  labor  into  more  efficient  units  would  greatly  im¬ 
prove  productivity. 

There  are  four  steps  towards  modem  ship  building  practice  which  the 
shipyard  that  built  the  example  class  of  ships  could  implement  to  improve 
quality  and  productivity: 

1)  Modular  construction  techniques  should  be  employed.  This  serves  to 
simplify  planning  and  reduce  interference  between  groups  of  outfit¬ 
ters. 

2)  Process  lanes  should  be  implemented  [Salancy,  1994a].  These  consist 
of  fixed  workstations  which  process  items  or  units  of  similar 
construction.  This  enables  workers  to  progress  along  the  learning 
curve  of  construction  and  makes  possible  the  use  of  statistical  control 
in  the  production  process.  It  also  provides  greater  tool  utilization, 
simpler  material  handling,  and  the  tolerances  necessary  for 
successful  modular  construction.  It  can  serve  as  a  basis  for 
implementing  continual  improvement  and  modern  management 
techniques  such  as  work  teams  and  participate  management. 

3)  Zone  outfitting  should  be  executed.  This  consists  of  outfitting  by  mod¬ 
ule,  block,  or  unit.  It  has  been  estimated  that  outfitting  by  block  saves 
30%  in  labor,  while  outfitting  by  unit  saves  70%  over  conventional  out¬ 
fitting  [Weiers,  1984].  This  improvement  is  the  result  of  simplified  co¬ 
ordination  and  scheduling  and  less  time  moving  material  through 
areas  under  construction. 

4)  Use  standardized  tested  designs  for  subassemblies  and  units.  This 
would  work  well  with  process  lanes  and  zone  outfitting.  If  plans  were 
created  and  stored  electronically,  maximum  utilization  of  CAD  /  CAM 
and  FEA  could  be  obtained.  There  would  also  be  benefits  due  to  re-use. 

Establishing  goals  of  quality  and  good  customer  relations  over  low-bid 
would  go  a  long  way  towards  improving  the  state  of  ship  construction. 
Construction  should  also  be  viewed  in  terms  of  life-cycle  costs. 

Factor  IV  is  also  a  difficult  problem.  The  example  of  foreign  shipyards 
could  be  followed  for  training,  selection  and  organization.  Reorganization 
would  bring  about  the  greatest  quality  change.  However,  reorganization  would 
require  workers  with  flexible  skills.  This  would  be  a  problem,  as  U.  S.  ship¬ 
yards  are  currently  approximately  90  %  unionized,  with  the  unions  being 
craft-based  [Stabler,  1993].  Without  flexibly-skilled  workers,  the  advantages  of 
techniques  such  as  zone  outfitting  cannot  be  fully  realized. 

Following  the  principles  of  design  for  constructability,  inspectability, 
and  repairability  would  be  beneficial  [Bea,  1992]. 
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Analysis  -  Re-configured  System 

Based  on  the  reconfiguration  suggestions  made  in  the  previous  section, 
the  system  is  again  analyzed  by  event  trees,  with  new  probabilities  of  occur¬ 
rence  (but  the  same  base  error  rates). 

In  Factor  I  (Figure  9.30),  the  Communications  error  probability  has 
been  reduced  by  half.  The  awareness  of  communication  problems  should  have 
some  immediate  effect,  but  actually  changing  the  way  the  various  agencies  in¬ 
teract  will  be  difficult  and  take  a  great  deal  of  time.  Similarly,  the  Culture  er¬ 
ror  probability  has  been  reduced  by  a  factor  of  two.  Putting  emphasis  on  life- 
cycle  considerations  will  have  a  good  effect,  but  it  will  take  a  long  time  to  over¬ 
come  the  existing  economic  pressures.  Initial  gains  should  not  be  difficult,  but 
substantial  change  will  be  slow,  hard  work. 
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Figure  9.30  -  Event  Tree  for  Factor  I,  Re-configured 


Factor  II  (Figure  9.31)  would  experience  greater  improvement  through 
QA  /  QC  measures.  Focusing  on  fundamentals  and  failure  modes  would  give 
designers  a  much  better  chance  to  detect  large  errors.  Therefore,  the  probabil¬ 
ity  of  error  due  to  Selection  and  Training  has  been  reduced  by  a  factor  of  five. 
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Figure  9.31  -  Event  Tree  for  Factor  II,  Re-configured 

It  is  difficult  to  assess  the  impacts  of  improved  QA  /  QC  for  Factor  III 
(Figure  9.32).  It  is  judged  that  focusing  on  life-cycle  costs  and  quality  would 
improve  the  Culture  problem,  reducing  it  by  a  factor  of  two  [Bea,  1994b]. 
Adopting  modern  shipbuilding  methods  of  organization,  selection,  and  train 
ing  could  have  a  similar  effect  on  Planning  and  Preparation  and  Structure 
and  Organization.  Implementing  statistical  control  methods  would  have  a 
large  impact  on  Monitoring  and  Control,  reducing  its  probability  of  contribut 
ing  to  error  by  a  factor  of  five. 
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Figure  9.32  -  Event  Tree  for  Factor  III,  Re-configured 
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Factor  IV  (Figure  9.33)  can  be  handled  in  the  same  manner  as  Factor 
III.  Improved  Selection  and  Training  can  be  expected  to  cut  error  probabilities 
in  half,  if  modern  shipbuilding  methods  are  employed.  Probabilities  of  error 
due  to  Ignorance  and  Slips  should  also  be  decreased  by  the  same  amount.  The 
greatest  benefit  would  be  in  adopting  modem  methods  of  labor  organization 
and  construction  planning.  By  using  these  methods,  a  reduction  in  error  due 
to  Planning  and  Preparation  of  a  factor  of  five  could  be  realized. 


Figure  9.33  -  Event  Tree  for  Factor  IV,  Re-configured 


Observations  from  Quantitative  Analyses 

Table  9.5  summarizes  the  quantitative  results  from  Example  1.  The 
evaluations  indicate  that  in  the  initial  state  the  likelihood  of  experiencing  less 
than  desirable  fatigue  durability  in  this  class  of  ships  CSD  due  to  HOE  prob¬ 
lems  was  about  3  E-2.  Given  this  less  than  desirable  durability  in  the  ships, 
the  likelihood  of  fatigue  failures  in  the  CSD  was  about  1  E-l  (for  a  15  year  oper¬ 
ating  period)  [Bea,  1993a;  Schulte-Strathaus,  Bea,  1993].  This  class  of  ships 
were  obviously  a  problem  waiting  to  happen. 

The  largest  contributors  to  the  CSD  durability  problem  were  due  to  con¬ 
struction  related  issues,  both  of  which  had  their  roots  in  organizational  issues. 
The  construction  related  issues  indicated  a  probability  of  durability  failure  of  2 
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E-2  while  the  design  related  issues  indicated  a  probability  of  durability  failure 
oflE-2. 

As  discussed,  each  of  the  four  factors  has  means  for  improvement. 
Addressing  the  design  issues,  Factor  I  would  be  the  most  important  element  to 
concentrate  improvement  efforts  on,  as  it  has  the  highest  baseline  error  rate  of 
the  design  related  issues.  Development  of  fatigue  design  guidelines  and  re¬ 
quirements  would  clearly  address  this  factor. 

In  the  other  factors,  a  new  QA  /  QC  effort  for  hiring  and  training,  for 
both  designers  and  yard  workers,  would  have  positive  and  significant  impacts 
on  quality.  Some  type  of  reorganization  of  shipyard  labor  will  be  necessary  for 
improved  quality  control  in  construction,  which  will  be  a  difficult  problem,  but 
is  necessary  to  improve  construction  quality. 

However,  it  appears  the  greatest  problems  are  those  which  are  classified 
as  organizational  and  cultural.  Changing  these  categories  would  have  the 
best  chance  of  changing  the  overall  system  from  one  which  is  considered  error 
prone  or  low  quality  inducing  to  one  that  is  acceptable  quality  inducing,  robust, 
and  error-tolerant.  The  positive  interactions  of  the  cooperating  agencies 
(owner  /  operator,  regulatory,  classification,  shipyard)  oriented  toward  achiev¬ 
ing  acceptable  quality  in  the  ship  structures  are  perhaps  the  most  important 
change  that  could  be  made  [Bea,  1994a]. 

Technical  changes  such  as  improved  durability  design  guidelines  are 
less  important  than  organizational  issues  such  as  requirements  that  they  be 
used  and  the  provision  of  adequately  trained  personnel  and  other  design  re¬ 
sources.  Similarly,  it  is  organizational  issues  related  to  construction  that  are 
the  most  important;  most  of  these  are  rooted  in  provision  of  sufficient  re¬ 
sources  (personnel,  time,  money)  to  achieve  adequate  quality  in  the  ship  CSD. 
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Table  9.5  -  Summary  of  results  from  Example  1 


Lmmiamamii i iiii  n  — — 

Baseline  Enor  Rate 

1.00E-02 

As  Configured 

As  Re-configured 

P  Communications 

0.50 

0.25 

P  Culture 

0.50 

0.25 

P  Error  -  Communications 

5.00E-03 

2.50E-03 

P  Error  -  Culture 

2.50E-03 

6.25E-04 

Total  P  Error 

7.50E-03 

3.13E-03 

Net  Change 

58% 

[FACTOR  II  :  CSD  DESIGN 

Baseline  Error  Rate 

1.00E-03 

As  Configured 

As  Re-configured 

P  Selection  and  Training 

0.50 

0.10 

P  Error  -  Selection 

5.00E-03 

1.00E-03 

Total  P  Error 

5.00E-03 

1.00E-03 

Net  Change 

80% 

FACTOR  III  :  CLIMATE  OF  US 

SHIP  CONSTRUCTION 

Baseline  Error  Rate 

1.00E-03 

As  Configured 

As  Re-configured 

P  Culture 

0.50 
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Example  2  -  Qualitative  Analysis 


The  second  example  analyzed  in  this  report  focuses  on  the  finite  element 
analysis  (FEA)  of  the  CSD  developed  in  the  first  example.  The  naval  architec¬ 
ture  firm  responsible  for  this  design  utilized  the  then  current  ABS  Rules  for 
Building  and  Classing  Steel  Vessels  [ABS,  1991]. 

The  goal  of  this  example  is  to  illustrate  how  HOE  in  FEA  might  be  better 
managed;  specifically  in  the  global  and  local  FEA  performed  in  fatigue  analy¬ 
sis  of  CSD  by  ship  designers. 

The  observations  pertaining  to  FEA  in  this  example  are  based  on  inter¬ 
views  conducted  during  this  project  with  users  of  FEA  applied  to  ship  struc¬ 
tures.  The  observations  are  meant  to  be  generic,  and  will  vary  in  details  ac¬ 
cording  to  the  specific  FEA  analysis  package  employed.  The  example  is  not 
specific  to  a  particular  usage  of  FEA  in  design,  rather  it  is  an  attempt  to  illus¬ 
trate  the  potential  problems  stemming  from  the  use  of  FEA  in  general,  and 
particularly  to  the  analysis  of  ship  structures. 

Currently,  there  are  no  definitive  guidelines  for  the  usage  of  FEA  in  ship 
structures,  although  some  methods  are  under  development  [ABS,  1993;  Ma, 
Bea,  1994;  Schulte-Strathaus,  Bea,  1993].  However,  by  the  use  of  efficient  QA  / 
QC  measures,  it  should  be  possible  to  gain  acceptable  and  sufficient  consis¬ 
tency  and  accuracy  in  FEA  analysis. 


Background 

FEA  is  a  numerical  technique  for  physical  responses  of  a  structure  to 
imposed  loads,  moments,  and  stresses  [Hughes,  1988].  The  use  of  the  finite  el¬ 
ement  technique  became  feasible  and  economical  with  the  advent  of  high-speed 
computers  which  could  carry  out  the  thousands  of  equilibrium  calculations 
required  of  an  FEA  model  in  a  reasonable  amount  of  time.  However,  the  poten¬ 
tial  of  FEA  is  still  limited  by  the  speed  of  computers,  so  the  use  and  accuracy  of 
FEA  can  be  expected  to  increase  in  the  future  with  increases  in  computing 
speed. 


FEA  seeks  to  define  a  structure  "as  an  assemblage  of  individual  struc¬ 
tural  elements  interconnected  at  a  discrete  number  of  nodes"  [Hughes,  1988]. 
In  a  continuous  structure,  such  as  a  ship,  the  choice  of  what  to  model  as  an 
individual  element  can  be  difficult  to  determine,  as  continuous  panels  must  be 
subdivided  into  separate  finite  elements  for  the  modeling  to  work  [Stear, 
Paulling,  1992;  Zilikotto,  et  al.,  1991]. 

FEA  proceeds  through  a  series  of  analyses  that  are  intended  to  zoom-in 
on  a  particular  CSD  to  determine  the  local  hot-spot  stresses  [Hughes,  1983; 
Sumi,  1994],  This  process  is  illustrated  in  Figure  9.34  -  Figure  9.40. 
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First  a  global  analysis  of  the  ship  is  performed  to  determine  the  distribu¬ 
tion  of  loadings  through  the  length  of  the  ship  (Figure  9.34).  Next,  a  section  of 
the  ship  is  identified  (e.  g.  one  tank  space  either  side  of  the  area  of  interest)  and 
the  boundary  conditions  /  loadings  to  be  imposed  on  the  ship  section  deter¬ 
mined  from  the  previous  step  (Figure  9.35). 

These  boundary  conditions  are  imposed  on  a  coarse  finite  element  model 
of  the  ship  section  of  interest  (Figure  9.36)  [Stear,  1993].  The  loadings  and  dis¬ 
placements  are  analyzed  to  determine  the  loadings  and  displacements  close  to 
the  CSD  of  interest  (Figure  9.37). 


FrS3 
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Figure  9.34  -  Global  model  of  tanker  developed  based  on  boundary  loadings  im¬ 
posed  one  tank  space  either  side  of  the  tank  being  analyzed 
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Figure  9.35  -  Global  loadings  imposed  on  boundaries  of  global  finite  element 
model 
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Figure  9.36  -  Global  finite  element  model 


Figure  9.37  -  Local  displacements  induced  at  boundaries  of  CSD 


These  local  loadings  and  displacements  are  then  imposed  on  a  section 
that  surrounds  the  CSD  of  interest  and  a  gross  finite  element  model  developed 
of  the  CSD  (Figure  9.38)  [Stear,  Paulling,  1993;  Xu,  et  al.,  1993]. 

Next,  detailed  fine-mesh  FEA  are  performed  on  the  CSD  to  determine 
the  stresses  (principal,  crack  opening)  that  are  important  to  the  strength  and 


200 


Chapter  9 


Examples:  Qualitative  &  Quantitative  Analyses 


durability  of  the  detail  (Figure  9.39).  The  final  step  is  associated  with  determi 
nation  of  the  hot  spot  stresses  associated  with  each  of  the  important  loading 
conditions  (Figure  9.40). 


Figure  9.38  -  Wire  frame  model  of  CSD 


Figure  9.39  -  Detailed  FEA  of  CSD  with  boundary  condition  loadings  and  re¬ 
straints 
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Figure  9.40  -  Local  hot  spot  stresses  in  CSD 


At  the  local  hot-spot  level  of  the  analyses,  the  choice  of  mesh  size  can 
lead  to  problems  in  compatibility  which  are  difficult  to  detect  [Ma,  1994]. 
Another  potential  source  of  problems  is  the  sheer  complexity  of  FEA  models 
[Stear,  1992;  Xu,  et  al.,  1992].  Even  simple  models  of  structural  details  tend  to 
have  thousands  of  individual  elements,  making  a  finite  element  model  very 
complex  and,  in  almost  all  cases,  too  large  to  check  by  hand  calculations. 

FEA  is  commonly  used  in  the  analysis  of  ship  structures  to  determine 
the  "hot  spot"  stress  ranges  in  fatigue  analysis  of  CSD  [Schulte-Strathaus, 
1993].  These  hot  spots  are  the  areas  where  the  highest  stress  concentrations 
are  expected  to  occur,  and  therefore  where  fatigue  cracking  is  most  likely  to 
initiate.  It  is  this  level  of  FEA  that  will  be  addressed  in  this  example. 

FEA  consists  of  the  definition  of :  the  type  of  elements,  boundary  /  re¬ 
straint  conditions,  mesh  compatibility,  and  mesh  size  /  aspect  ratio. 

Individual  human  errors  can  be  made  in  any  of  these  determinations.  The  in¬ 
terviews  documented  by  Noyes  [1994]  identified  five  important  considerations 
in  performing  FEA: 

1)  defining  geometry  limitations  ■  consideration  of  special  methods  re¬ 
quired  to  model  curved  surfaces,  to  properly  model  stress  gradients,  and 
to  accurately  describe  the  behavior  of  the  portion  of  the  structure  under 
consideration. 
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2)  choosing  elements  -  there  are  several  types  of  elements  (e.g.  plain 
strain,  plain  stress,  2-dimensional,  3-dimensional)  and  these  types  of  el¬ 
ements  must  be  chosen  to  adequately  describe  the  stress  -strain  behavior 
of  the  portion  of  the  structure  under  consideration. 

3)  choosing  appropriate  element  meshes  and  connectivities  •  the  dimen¬ 
sions  of  the  elements  must  be  chosen  to  accurately  determine  the  stress 
gradients  and  stress  concentrations;  the  element  meshes  of  different 
sizes  and  perhaps  geometry  composing  a  particular  structural  detail 
must  be  properly  interfaced  to  prevent  inaccuracies  in  the  critical 
stresses. 

4)  defining  material  properties  -  stress-strain  properties  such  as  the 
modulus  of  elasticity,  yield  stress  -  strain,  and  ultimate  stress-strain  (for 
nonlinear  finite  element  analyses)  must  be  accurately  defined;  conserva¬ 
tive  nominal  values  frequently  used  in  traditional  design  methods  must 
be  replaced  with  expected  or  "best  estimate"  characteristics  that  will  be 
expected  in  the  particular  detail. 

5)  defining  boundary  conditions  -  the  boundary  condition  restraints 
and/or  loadings  must  be  accurately  determined  from  a  "global"  struc¬ 
tural  analysis,  the  loadings  must  be  properly  defined  and  include  all  of 
the  important  sources  of  imposed  or  induced  stresses  and  strains;  the 
global  "coarse"  structural  analysis  must  have  appropriate  elements  as 
previously  discussed  and  there  must  be  adequate  detail  of  these  elements 
in  the  vicinity  of  the  fine  mesh  finite  element  analysis  detail  to  permit 
accurate  determination  of  the  boundary  conditions  and  loadings. 

Errors  that  occur  in  FEA  of  CSD  are  not  as  straightforward  as  they  may 
seem,  due  to  the  complex  nature  of  FEA.  Without  a  thorough  training  in  FEA 
and  a  good  feel  for  the  structure  being  modeled,  errors  can  be  very  difficult  to 
recognize.  Organizations  can  likewise  make  errors  in  FEA  usage. 

Insufficient  FEA  training,  guidelines  for  FEA  usage,  and  verification  and 
checking  techniques  for  FEA  models  are  all  examples  of  organizational  error. 
QA  /  QC  measures  can  be  instigated  to  correct  these  errors. 

The  problems  inherent  in  computer  design,  and  FEA  in  particular,  are 
outlined  in  the  following  sections.  A  general  analysis  of  FEA  is  then  per¬ 
formed,  using  a  generic  organization  typical  of  modern  design  and  analysis 
organizations.  This  organization  is  then  re-configured  with  new  standards 
and  QA  /  QC  measures  and  analyzed  again. 


Bisks  of  Automated  Design 

There  are  several  general  problems  associated  with  highly  automated 
design,  some  of  which  are  outlined  here.  Although  they  are  not  examined  in 
detail,  they  provide  a  valuable  background  for  understanding  some  of  the  po¬ 
tential  problems  of  specific  applications  such  as  FEA. 
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The  finite  element  method,  as  well  as  other  computer  design  applica¬ 
tions,  allows  engineers  to  economically  design  and  analyze  structures  that  are 
much  more  complex  than  previously  possible.  However,  this  ability  does  not 
come  without  its  associated  risks.  Using  computer  techniques  for  design  and 
analysis  has  several  inherent  problems.  It  may  also  bring  about  new  risks  be¬ 
cause  of  its  abilities.  This  is  both  an  individual  and  organizational  issue.  An 
individual  must  be  aware  of  the  limits  of  the  application,  and  the  organization 
must  be  willing  to  adequately  train  all  users  and  must  not  promote  the  tool  as  a 
panacea  for  all  design  problems. 

Petroski  [1985]  points  out  many  of  the  possible  problems  arising  from  the 
use  of  computers  in  design  of  structures.  Some  of  these  are  detailed  in  this 
section.  Perrow  [1984]  discusses  the  phenomenon  of  "radar-assisted  colli¬ 
sions",  an  example  of  how  improved  technology  can  lead  to  lower  safety  and 
control.  This  topic  is  presented  as  a  loose  analogy  to  FEA  and  to  illustrate  how 
reliance  on  new  technology  can  be  harmful.  Knoll  [1986]  pointed  out: 

"The  computer  is  the  ultimate  fool  and  we  have  elevated  it  to  the 

ultimate  authority.  What  is  going  to  be  the  price?" 

Computer  Optimization.  Complex  structures  historically  have  been  in¬ 
tentionally  over  designed.  This  was  done  because  design  iteration  was  simply 
too  time-consuming  to  carry  out  by  hand,  due  to  the  many  complicated  calcula¬ 
tions  involved.  Computer  design  and  analysis  of  structures  has  changed  this. 
Now  design  iteration  is  possible  and  all  aspects  of  a  structure  can  be  optimized 
for  the  lowest  required  capacity  to  minimize  cost,  weight  or  another  key  char¬ 
acteristic. 

This  can  lead  to  problems  in  several  ways.  The  safety  factors  being  used 
in  the  designs  are  based  upon  experience  with  the  over  designed  structures, 
and  may  be  low  for  thoroughly  optimized  structures.  This  can  result  in  fail¬ 
ures  which  would  have  been  avoided  without  computer  optimization.  The  op¬ 
timized  structures  will  also  tend  to  be  less  robust,  having  more  weak  links, 
which  also  makes  them  more  susceptible  to  failure. 

Computer  Reliance.  Engineers  using  computers  extensively  tend  to  lose 
a  feel  for  the  behavior  of  the  structure.  They  tend  to  believe  implicitly  in  com¬ 
puter  answers.  This  is  due  in  part  to  the  accuracy  reported  in  computer  an¬ 
swers,  which  is  almost  never  a  reflection  of  the  accuracy  of  the  input  data. 

A  good  sense  of  the  structure  in  question  will  always  be  necessary  to  en¬ 
gineers.  Computer  applications  fall  short  of  being  able  to  carry  out  a  complete 
design  or  analysis  by  themselves.  It  is  still  necessary  for  an  engineer  to  be  able 
to  identify  the  various  failure  modes  which  he  believes  a  structure  may  be  sub¬ 
ject  to.  Computers  cannot  be  used  for  design,  as  they  still  cannot  compute  all 
of  the  available  options  available  in  a  design,  so  engineers  must  remain  capa¬ 
ble  of  using  their  judgment. 

Verification.  Possibly  the  greatest  problem  in  computer  design,  FEA  in 
particular,  is  the  fact  that  structures  tend  to  be  so  complex  that  they  can  not  be 
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easily  verified  by  engineers  using  hand  calculations.  Even  simple  FEA  models 
of  details  tend  to  have  hundreds  or  even  thousands  of  elements,  which  is  far 
too  many  for  hand  calculation  checking.  This  means  that  an  engineer  must 
rely  on  simple  calculation  methods,  such  as  a  basic  beam  analysis,  to  deter¬ 
mine  whether  or  not  answers  are  of  the  correct  order  of  magnitude.  There  is 
no  means  to  verify  specific  stress  values  in  a  structure  short  of  model  and  pro¬ 
totype  testing. 

Therefore,  it  is  critical  that  engineers  be  capable  of  using  good  judgment 
when  interpreting  computer  output.  An  analysis  may  be  carried  out  using 
reasonable  techniques,  without  triggering  any  alarms,  and  still  contain  incor¬ 
rect  answers  by  means  shortcomings  in  the  application.  If  an  engineer  does 
not  have  an  intuitive  feel  for  what  values  are  reasonable,  he  will  not  be  likely  to 
catch  these  errors. 

Technology  Reliance.  Perrow  [1984]  describes  a  phenomenon  of  technol¬ 
ogy-reliance  :  "radar-assisted  collisions"  in  marine  traffic.  Radar  was  meant 
to  solve  the  problem  of  marine  collisions  in  the  simplest  manner  possible  :  al¬ 
low  the  crew  of  a  ship  to  accurately  "see"  their  surroundings,  and  thereby 
avoid  collisions  with  nearby  ships,  bridges,  shore,  etc.  Radar  was  quite  profi¬ 
cient  at  identifying  these  dangers.  However,  the  collision  rate  did  not  go  down 
with  the  advent  of  radar. 

Why  did  improved  "sight"  not  lead  to  a  lowering  of  collisions?  Because 
the  gain  in  vision  was  used  to  increase  speed,  not  as  an  anti-collision  measure. 
Vessels  previously  proceeded  slowly  when  they  were  nearly  sightless,  but  with 
radar,  they  could  make  full  speed.  This  worked  well  as  long  as  their  radar 
was  in  good  operation  and  no  other  ships  with  radar  were  in  the  vicinity. 
However,  once  radar  became  common,  it  was  difficult  to  anticipate  what 
course  another  vessel  would  take  based  on  its  own  interpretations  of  its  sur¬ 
roundings.  Radar  also  failed  to  reduce  accident  rates  because  it  was  a  fairly 
complicated  tool  to  operate,  and  was  not  a  universal  answer  to  collision  avoid¬ 
ance,  as  most  people  believed  it  to  be.  Finally,  radar  incorporates  some  auto¬ 
mated  features,  such  as  "closest  point  of  approach",  which  can  be  fooled  and 
incorrectly  interpreted.  Features  like  this,  when  incorrectly  interpreted,  led  to 
"non-collision  course  collisions"  and  "radar-assisted  collisions". 

Obviously,  radar  is  not  a  direct  analogy  to  FEA.  However,  FEA  was  de¬ 
veloped  as  a  tool  to  understand  the  behavior  of  a  structure,  and  is  being  used  to 
minimize  weight  and  cost  by  reducing  strength  to  minimum  necessary  levels. 
It  is  also  a  fairly  complicated  tool  to  operate,  with  features  which  are  not  al¬ 
ways  correctly  interpreted.  It  is  also  viewed  at  times  as  a  universal  answer  to 
structural  behavior,  although  it  often  falls  short  in  several  ways. 
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The  author  conducted  interviews  with  users  of  FEA  packages  and  com¬ 
bined  this  information  with  existing  literature  to  identify  some  common  errors 
which  arise  from  the  use  of  FEA  in  ship  CSD.  These  errors  are  not  specific  to 
a  particular  FEA  package.  The  errors  arise  because  of  the  variations  in  mod¬ 
eling  techniques,  the  differences  between  finite  element  models  and  real  three- 
dimensional  structures,  and  the  problems  inherent  in  checking  complex  com¬ 
puter  calculations. 

Some  of  these  problems  could  be  lessened  by  definitive  guidelines  in  the 
use  of  FEA.  However,  it  is  difficult  to  define  a  "fixed"  procedure  that  gives  con¬ 
sistent  results  for  CSD.  Initial  comparisons  of  fatigue  lives  have  differed  by 
factors  of  10  to  over  50  depending  upon  application  and  usage  ]Bea,  1993]. 

In  a  study  conducted  under  the  auspices  of  the  International  Ship  and 
Offshore  Structures  Congress  (ISSC)  the  results  from  FEA  of  the  transverse 
frame  of  a  350,0000  DWT  tanker  have  been  reported  [Ziliotto,  1991].  The  trans¬ 
verse  frame  drawings  and  loading  conditions  were  supplied  to  nine  FEA  ex¬ 
perts.  These  experts  performed  the  FEA  of  the  transverse  frame  and  then 
compared  the  results. 

The  maximum  bending  moments  determined  at  the  bottom  transverse 
in  the  wing  tank  differed  by  a  factor  in  excess  of  4.  The  normal  force  in  the 
transverse  frame  strut  differed  by  a  factor  in  excess  of  2.  The  axial  stress  in 
the  flange  of  the  bracket  between  the  bottom  transverse  and  the  longitudinal 
bulkhead  differed  by  40  %.  These  differences  were  due  to  differences  in  the  as¬ 
sumptions  made  in  defining  the  FEA  models  )mesh,  boundary  conditions, 
types  of  elements)  and  in  differences  in  the  FEA  solution  procedures.  The  def¬ 
inition  of  boundary  conditions  was  the  assumption  that  had  the  largest  affect 
on  the  results  [Ziliotto,  et  al.,  1991]. 

A  similar  and  later  study  of  FEA  of  the  ship  global  structure  and  local 
FEA  CSD  has  been  reported  by  Sumi,  et  al.  [1994].  This  study,  performed  un¬ 
der  the  auspices  of  the  ISSC,  involved  two  stages  of  FEA  of  a  CSD  in  an  88,000 
DWT  tanker  performed  by  eleven  FEA  experts.  The  first  phase  was  intended  to 
define  the  boundary  and  loading  conditions  of  the  CSD.  The  second  phase  was 
intended  to  define  the  local  hot  spot  stresses.  Loading  conditions  were  speci¬ 
fied,  but  the  assumptions  and  performance  of  the  global  and  local  FEA  left  to 
the  experts. 

The  first  phase  results  indicated  the  critical  stresses  at  the  boundaries  of 
the  CSD  studied  differed  by  factors  in  the  range  of  2.1  to  3.6  The  Coefficient  of 
Variation  in  the  first  phase  results  ranged  from  23  %  to  35  %. 

The  second  phase  results  indicated  hot  spot  stresses  that  differed  by  fac¬ 
tors  in  the  range  of  1.6  to  2.0.  The  Coefficient  of  Variation  in  the  second  phase 
results  franged  from  15  %  to  20  %. 


i 


206 


Chapter  9  Examples:  Qualitative  &  Quantitative  Analyses 

In  the  Phase  1  analyses,  the  principal  sources  of  the  differences  were 
identified  as  the  structural  idealization  in  the  vicinity  of  the  supported  bound¬ 
aries,  and  the  element  types  and  mesh  subdivisions  used  in  the  analyses.  In 
the  Phase  2  analyses,  the  deformation  modes  applied  on  the  boundaries  of  the 
local  CSD,  the  types  of  elements,  and  again  the  mesh  types  and  subdivisions. 

It  was  noted  that  the  accuracy  of  the  stress  values  at  the  hot  spots  could 
be  improved  by  using  an  adaptive  meshing  technique  which  is  available  in 
some  commercial  codes  [Sumi,  1994].  This  recommendation  has  been  used  by 
Ma  and  Bea  [1994]  in  a  recent  study  of  hot  spot  stresses  in  CSD.  The  adaptive 
meshing  technique  integrated  into  the  FEA  code  was  utilized  in  this  study.  A 
major  problem  with  mesh  incompatibility  was  identified  and  eventually  solved. 
The  mesh  incompatibility  had  major  influences  on  the  FEA  hot  spot  stresses. 
This  is  a  problem  for  verification  of  the  FEA  code  which  itself  can  contain  sig¬ 
nificant  error  inducing  routines  or  capabilities  [Thompson,  1993], 

Mesh  Incompatibility.  For  results  to  be  accurate,  the  mesh  of  a  finite  el¬ 
ement  model  must  be  compatible  from  element  to  element.  Where  discontinu¬ 
ities  in  the  mesh  exist,  there  are  likely  to  be  discontinuities  in  the  stress  distri¬ 
bution,  which  can  affect  an  entire  analysis,  even  when  the  incompatibility  oc¬ 
curs  in  a  low  stress  area,  far  away  from  the  point  of  interest. 

The  problem  in  mesh  compatibility  arises  because  it  is  necessary  to  de¬ 
fine  "fine"  mesh  over  the  area  of  interest  and  "coarse"  mesh  elsewhere. 

Coarse  mesh  must  be  used  to  reduce  computing  time  to  reasonable  levels, 
while  fine  mesh  must  be  used  to  obtain  a  sufficiently  detailed  analysis  of  the 
hot  spot  area.  The  problems  of  mesh  compatibility  arise  in  the  areas  where 
coarse  mesh  and  fine  mesh  border.  An  intermediate  mesh  is  required  in  these 
areas.  This  intermediate  mesh  supplies  connectivity  between  the  fine  and 
coarse  mesh  nodes  so  that  the  stresses  and  strains  determined  at  these  nodes 
are  correctly  interfaced.  This  concept  is  illustrated  in  Figure  9.41. 


Figure  9.41  -  Automated  adaptive  meshing  (incorrect)  and  correct  mesh 
connectivity 
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Incorrect  mesh  connectivity  is  very  difficult  to  detect.  Most  programs  do 
not  have  a  feature  which  can  detect  this  type  of  problem,  so  incorrect  results 
are  returned  without  warning.  Therefore,  it  is  up  to  the  user  to  visually  exam¬ 
ine  the  model  for  mesh  incompatibility.  This  can  be  very  difficult  and  time 
consuming  in  a  complex  three-dimensional  model.  This  problem  is  also  in¬ 
herent  in  the  automatic  mesh  sizing  features  of  some  programs,  making  it 
more  difficult  to  detect.  Training,  attention  to  detail,  care,  and  provision  of  in¬ 
centives  to  "be  accurate"  are  critical  in  preventing  errors  of  this  type. 

Realistic  Modeling.  Current  FEA  packages  fall  short  of  perfectly  realis¬ 
tic  modeling  in  several  ways.  FEA  programs  seek  to  model  three  dimensional 
structures  with  one  and  two  dimensional  elements.  This  is  done  because  three 
dimensional  elements  would  require  enough  nodes  to  slow  down  FEA  applica¬ 
tions  to  the  point  of  being  uneconomical.  The  use  of  one  dimensional  and  two 
dimensional  models  has  drawbacks  and  risks,  however. 

Using  two  dimensional  elements  can  result  in  a  model  that  accurately 
represents  most  aspects  of  a  ship  structure.  However,  some  aspects  cannot  be 
accurately  modeled.  Elements  which  overlap  other  elements,  for  example, 
cannot  be  accurately  modeled.  This  is  a  problem  in  modeling  CSD,  as  "locks" 
are  usually  used.  These  locks  are  plates  which  overlap  gaps  in  the  CSD. 

Another  problem  in  the  use  of  one  and  two  dimensional  analysis  is  the 
degree  of  accuracy  obtained.  It  is  very  difficult  to  determine  how  well  a  non- 
three  dimensional  element  models  the  behavior  of  a  three  dimensional  ele¬ 
ment,  as  testing  is  not  possible.  It  is  also  difficult  for  most  engineers  to  antici¬ 
pate  how  a  one  or  two  dimensional  element  will  behave.  This  means  that  er¬ 
rors  in  the  modeling  are  more  difficult  to  detect. 

A  related  shortcoming  of  FEA  in  CSD  modeling  is  the  problem  of  model¬ 
ing  welds  and  other  non-standard  shapes.  It  is  relatively  easy  to  model  plates 
and  beams  accurately,  but  welds  are  a  different  matter.  Welds  will  have  indi¬ 
vidual  shapes  and  be  of  varying  quality,  as  they  are  products  of  hand  work¬ 
manship. 

Welding  also  introduce  residual  stresses  which  are  extremely  difficult  to 
quantify,  as  well  as  being  of  indeterminate  consistency.  Residual  stresses  are 
present  in  all  welded  structures.  Residual  stresses  can  be  local  to  the  weld  and 
global  to  the  structural  system.  The  global  system  residual  stresses  will  be 
highly  dependent  on  the  assembly,  welding,  and  any  pre-heating  procedures. 
The  residual  stresses  can  be  at  or  close  to  yield  in  large  areas  of  the  structure 
and  CSD.  Given  additional  loading,  plastic  strains  are  developed  which  can 
dramatically  affect  the  distribution  of  stresses. 

All  of  these  issues  are  a  problem  in  FEA  (most  of  which  presume  linear 
material  behavior)  because  the  geometry,  residual  stresses,  material  yield, 
and  material  consistency  of  the  welded  material  are  not  considered  when 
stress  concentrations  are  calculated  in  these  areas.  These  limitations  in  FEA 
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modeling  puts  a  serious  limitation  on  the  accuracy  which  can  be  obtained  in 
FEA. 


It  is  for  these  reasons  that  in  industries  that  have  developed  very  ad¬ 
vanced  FEA  capabilities,  such  as  the  commercial  airframe  industry,  do  not 
"believe"  results  from  FEA  until  they  have  been  calibrated  and  verified  with 
small  specimen  testing  and  large  assembly  testing  [Bea,  1993].  Extensive  labo¬ 
ratory  and  prototype  testing  provides  the  essential  ingredient  to  being  able  to 
use  FEA  in  the  design  of  commercial  and  combatant  airframes. 

Element  Sizing.  The  choice  of  relative  element  size  can  have  an  effect  on 
the  stresses  obtained  in  analysis.  This  is  due  to  the  averaging  effects  of  the  fi¬ 
nite  element  method,  as  illustrated  in  Figure  9.42.  Smaller  elements  will  tend 
to  give  higher  stresses  than  larger  elements  in  the  same  area  in  regions  where 
stress  increase  with  proximity  to  a  discontinuity,  such  as  a  joint  or  angle.  The 
average  stress  for  an  element  is  indicated  by  a  dotted  line.  It  can  be  seen  that 
smaller  elements  will  give  higher  stresses.  Therefore,  the  engineer  using 
FEA  must  be  aware  of  this  problem  and  have  an  intuitive  feel  for  what  a  rea¬ 
sonable  stress  level  in  the  given  type  of  detail  would  be.  An  engineer  not  famil¬ 
iar  with  this  effect  may  not  realize  that  stress  concentrations  are  high  if  large 
elements  are  used,  and  may  believe  stresses  are  deceptively  high  if  small  ele¬ 
ments  are  used. 


Stress 


Stress 


LARGE  ELEMENTS 


SMALL  ELEMENTS 


Figure  9.42  -  Hot  spot  extrapolation  stress  levels  and  element  sizes 


Linear  Analysis.  Most  FEA  packages  use  linear  approximations  of  the 
stress-strain  relationship  for  materials.  As  discussed  earlier  in  this  section, 
this  means  that  plastic  deformation  is  not  considered.  This  can  lead  to  infinite 
stress  concentrations  at  singularities.  This  problem  must  be  treated  in  the 
same  manner  as  mesh  sizing  :  the  engineer  must  be  aware  of  the  phe¬ 
nomenon  to  recognize  it,  and  must  have  a  feel  for  what  the  true  stress  value  in 
the  area  would  be. 
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Quality  Profile  F or  FEA  of  CSD 

In  order  to  apply  a  quality  profile  to  a 
portion  of  a  ship  structure  design  analysis 
such  as  FEA  of  CSD,  it  was  necessary  to 
develop  a  quality  profile  for  a  design  analysis 
tool.  This  required  identifying  the  properties 
of  an  analysis  tool  which  indicate  high  or  low 
quality  and  reliability.  A  list  of  characteristics 
indicative  of  the  quality  of  analysis  tools  is 
given  in  Table  9.6. 

Accuracy  refers  to  how  well  the  tool 
represents  the  actual  structure  and  its 
behavior.  Correctness  refers  to  the  lack  of 
faults  or  flaws  in  the  procedures.  Consistency 
refers  to  the  repeatability  of  results  for  similar 
problems  with  different  users. 

Input  Practicality  refers  to  the  ease  of 
use  of  the  tool  and  how  difficult  or  simple  it  is 
to  model  a  structure  or  process.  It  also  refers  to  the  availability  of  input  data. 
Output  refers  to  the  clarity  of  the  answers  given  by  the  tool  and  whether 
problems  are  made  evident. 

Compatibility  refers  to  the  ability  of  the  design  procedure  to  be  readily  in¬ 
tegrated  into  common  engineering  and  naval  architecture  procedures. 
Simplicity  refers  to  the  degree  of  complication,  intricacy,  and  difficulty  of  un¬ 
derstanding  and  using  in  the  context  of  common  engineering  and  naval  archi¬ 
tecture  procedures. 

Intuitive  Verification  refers  to  the  ability  of  a  user  to  tell  whether  an¬ 
swers  appear  reasonable  or  not  by  experience  and  general  scientific  knowl¬ 
edge.  First  Principles  Verification  refers  to  the  ability  of  a  user  to  check  the 
accuracy  of  results  by  independent  and  /  or  "hand"  calculations.  Empirical 
Verification  refers  to  the  ability  to  check  the  results  given  by  the  tool  by  model 
or  full-scale  testing. 

Procedures  organization  and  documentation  refer  to  the  practicality  and 
clarity  of  the  written  procedures,  the  detail  and  correctness  of  their  documen¬ 
tation  and  the  effectiveness  of  the  information  transmission  contained  in  the 
written  procedures. 

A  tool  which  has  high  marks  for  all  of  these  attributes  should  give  high 
quality  results,  as  users  will  understand  its  workings  and  recognize  any  prob¬ 
lems,  as  well  as  knowing  how  accurately  the  tool  represents  reality.  A  tool 
with  an  indicated  low  quality  is  likely  to  produce  designs  with  undetected  prob¬ 
lems. 


Table  9.6  -  FEA  of  CSD  analy¬ 
sis  quality  profiling  charac¬ 
teristics 


Accuracy  /  Correctness 

_ Consistency _ 

_ Input  Practicality _ 

_ Output  Clarity _ 

Compatibility  /  Simplicity 
Intuitive  Verification 
First  Principles  Verification 
Empirical  Verification 
Procedures  Organization  / 
Documentation 
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Evaluation  of  Quality  Profile  for  Example  FEA 

A  quality  profile  for  the  example  FEA  of  the  example  CSD  is  given  in 
Figure  9.43. 


Accuracy 


Consistency 


Input 


I  III  I  I 

PRONE  TO  LOW  PRONE  TO  HIGH 

QUALITY  QUALITY 


Figure  9.43  -  Quality  Profile  for  example  FEA  of 
example  CSD 
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FEA  is  given  an  average  score  for  accuracy.  Although  FEA  can  be  very 
accurate  for  plates  and  simple  structures,  it  loses  accuracy  when  welds  and 
other  odd  features  must  be  included.  Its  accuracy  is  also  somewhat  deceptive, 
as  it  (like  most  computer  applications)  reports  many  more  significant  digits 
than  is  reasonable  based  on  the  uncertainties  and  approximations  involved. 

Consistency  is  given  a  low  score  because  of  the  high  dependence  on 
mesh  sizing,  which  is  a  function  of  user  judgment  and  will  vary  widely  with 
different  users. 
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Input  is  given  a  low  score  because  some  important  points  in  input  are  of¬ 
ten  glossed  over  in  FEA  packages,  particularly  mesh  sizing,  shortcomings  of 
non- three  dimensional  elements  and  the  effect  of  welds.  Output  is  given  a  low 
score  because  output  is  often  too  complex  to  check  thoroughly,  resulting  in 
users  "drowning  in  numbers".  Problems  can  easily  go  unnoticed.  Finally, 
FEA  will  not  identify  all  failure  modes. 

Compatibility  /  Simplicity  is  given  an  average  score  because  the  FEA  are 
merged  reasonably  with  common  engineering  procedures. 

Intuitive  Verification  is  given  a  low  score  because  users  do  not  have  a 
feel  for  how  a  one-  or  two-dimensional  structure  will  behave.  Users  are  also 
probably  ignorant  of  exact  stress  values  in  details. 

First  Principles  Verification  is  given  a  low  score  because  it  is  nearly  im¬ 
possible  to  check  even  a  small  section  of  a  structure  by  hand,  as  boundary  con¬ 
ditions  are  not  known.  Simple  beam  analysis  is  usually  the  best  method  of 
checking  available,  and  this  gives  only  an  order  of  magnitude  comparison. 

Empirical  Verification  is  given  a  low  score  because  actual  testing  would 
require  a  full-scale  model  and  a  very  large  number  of  strain  gauges.  Such 
testing  was  not  done,  and  in  general,  is  a  rarity  in  this  industry  [Schulte- 
Strathaus,  1993], 

Documentation  is  given  a  low  score  because  of  the  absence  of  definitive 
guidelines  and  procedures  to  perform  FEA  of  CSD.  The  example  FEA  com¬ 
puter  program  documentation  is  a  "nightmare."  Unnecessary  complexity  and 
incorrectness  in  the  documentation  abound. 

The  overall  Quality  Profile  of  the  example  FEA  of  the  example  CSD  is 
that  it  may  pass  designs  with  undetected  quality  problems. 


Example  2  -  Quantitative  Analysis 


The  example  FEA  of  the  example  CSD  is  examined  in  a  similar  fashion 
to  the  first  example,  although  the  sequence  of  EDA  is  different.  The  example  is 
divided  into  four  categories  of  HOE.  These  categories  and  their  components 
are  summarized  in  Table  9.7. 

Errors  in  mesh  compatibility  are  judged  to  be  the  product  of  ignorance 
(users  who  do  not  understand  how  to  correctly  form  the  mesh  to  pick  up  stress 
concentrations)  and  slips  (users  who  accidentally  define  a  mesh  with  disconti¬ 
nuities). 
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Realistic  modeling  errors  are 
expected  to  be  due  to  organizational 
ignorance  (organizations  which  do  not 
realize  the  approximations  and 
assumptions  implicit  in  modern  FEA, 
including  dimensionality  and  welds, 
and  promote  it  as  a  universal  tool  for 
design  problems). 

Element  sizing  errors  are 
expected  to  be  due  to  ignorance  (users 
who  do  not  understand  how  to  properly 
size  for  relevant  concentrations)  and 
selection  and  training  (users  who  can 
not  recognize  a  reasonable  or 
unreasonable  stress  concentration). 

Errors  due  to  linear  analysis 
factors  are  also  considered  to  be  errors 
of  ignorance  (users  who  are  unaware  of 
the  shortcomings  of  the  specific  FEA 
package  in  approximating  the  stress- 
strain  relationship)  and  selection  and  training  (users  whose  background  does 
not  give  them  a  feel  for  what  reasonable  values  are  and  what  the  implications 
of  a  linear  approximation  of  the  stress-strain  relationship  can  be). 


Quantitative  Analysis  -  Original  System 

A  baseline  error  rate  must  be  established  for  each  factor  in  the  example. 
All  of  the  errors  are  ones  that  should  not  occur  with  good  vigilance,  but  may  be 
expected  to  occur  under  normal  conditions.  These  errors  fit  the  category  of 
"Errors  of  commission  such  as  operating  the  wrong  button  or  reading  the 
wrong  display"  [Rettedal,  et  al,  1994;  Williams,  1988],  and  therefore  have  been 
assigned  a  likelihood  of  10'3  (for  the  FEA  of  the  CSD  design  phase). 

Errors  in  realistic  modeling,  an  organizational  error,  are  difficult  to  as¬ 
sign  a  base  rate  to.  Organizational  errors  are  difficult  to  assign  rates  in  gen¬ 
eral,  because  the  data  simply  is  not  available.  However,  the  problem  in  realis¬ 
tic  modeling  seems  to  be  less  severe  than  the  fatigue  analysis  organizational 
error  in  example  1  which  was  given  a  base  error  rate  of  10‘2,  so  the  use  of  10"3 
is  internally  consistent.  It  should  be  remembered  that  all  of  the  baseline  error 
rates  are  approximations,  and  cover  a  range  of  values. 

As  in  example  1,  the  probabilities  of  situations  to  induce  errors  being 
present  are  divided  equally  in  this  segment  of  the  analysis,  and  are  altered  in 
the  analysis  of  the  system  when  re-configured,  based  on  the  effect  of  new  QA  / 
QC  measures,  as  described. 


Table  9.7  -  HOE  factors  in  example 
FEA  of  CSD 

1  "  — ■ — - .  . . ggg 

L  MESH  COMPATIBILITY 

Human  Error,  Ignorance 

Human  Error,  Slips 

H.  REALISTIC  MODELING 

Organizational  Error,  Ignorance 

HL  ELEMENT  SIZING 

Human  Error,  Ignorance 

Human  Error,  Selection  and  Training 

IV.  LINEAR  ANALYSIS 

Human  Error,  Ignorance 

Human  Error,  Selection  and  Training _ 
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The  four  factors  are  examined  in  the  ETA  -  FTA  summarized  in  Figure 
9.44  through  9.47. 


Figure  9.44:  Factor  I  analysis 


Figure  9.45  -  Factor  II  analysis 


214 


Chapter  9 


Examples:  Qualitative  &  Quantitative  Analyses 


Error  in  Element 
Sizing  (10  -3) 
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5  x  10  -4 

P  (Error,  Ignorance) 
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Error  due  to 
Ignorance 


Error  due  to 
Selection  and 
Training 


2.5  x  10  -4 


P  (Error,  Seletion  and 
Training) 


Figure  9.46  -  Factor  III  analysis 


Error  in  Linear 
Analysis  (10  -3) 
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Error  due  to 
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Error  due  to 
Selection  and 
Training 

5x104 

P  (Error,  Ignorance) 

2.5  x  10  4 

P  (Error,  Selection  and 
Training) 


Figure  9.47  -  Factor  IV  analysis 


Quantitative  Analysis  -  Re-configured  System 

The  reconfiguration  of  the  system  to  reduce  the  likelihood  of  errors  in 
FEA  is  based  on  two  measures  :  increased  QA  /  QC  and  an  organizational 
change  in  view  of  FEA.  These  measures  are  described  for  each  factor  in  this 
section,  and  are  evaluated  in  the  following  section. 

Factor  I  can  be  improved  chiefly  by  concentration  on  training  in  the 
proper  usage  of  FEA.  When  users  understand  the  issues  involved  in  defining 
mesh  —  the  problems  of  discontinuities,  the  calculation  time  involved  in  coarse 
mesh,  etc.  —  they  will  be  much  less  likely  to  create  a  model  with  mesh  prob¬ 
lems,  as  well  as  being  more  likely  to  catch  errors  in  mesh  in  existing  models. 
Defining  a  standard  method  for  mesh  creation  would  have  a  very  good  effect  on 
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consistency.  It  would  also  improve  the  effectiveness  of  checking,  as  all  users 
would  be  basing  their  mesh  on  the  same  principles.  Development  of  standard 
practices  may  not  be  easy,  but  it  is  of  great  value  in  improving  quality. 

Changes  in  Factor  II  would  rely  on  an  organization-wide  change  of  view 
of  FEA.  The  shortcomings  of  FE A  in  modeling  physical  structures  and  behav¬ 
ior  must  be  realized  and  incorporated  into  the  use  of  FEA.  Complete  reliance 
on  FEA  is  unreasonable,  and  the  organization  must  present  this  attitude  to  the 
users  of  FEA.  Making  this  change  in  stance  will  be  difficult,  but  could  be  part 
of  the  increased  training  effort  required  in  work  on  the  other  factors. 

Factor  III  would  be  improved  by  QA  /  QC  focus  on  teaching  FEA  users 
the  shortcomings  of  FEA  in  representing  details,  particularly  the  relation  be¬ 
tween  element  size  and  stress  concentration  values.  Users  would  also  benefit 
from  a  background  on  what  are  reasonable  values  and  what  are  not.  Standard 
guidelines  would  be  very  helpful  in  reducing  this  problem,  as  guidelines  could 
detail  how  mesh  should  be  handled  in  areas  of  importance  where  stress  con¬ 
centrations  may  be  affected  by  element  sizing. 

Factor  IV  would  be  best  handled  in  the  same  manner  as  Factor  III,  by  a 
concentration  on  teaching  users  what  linear  analysis  problems  look  like  and 
how  they  can  be  recognized,  avoided  or  circumvented. 

The  system  is  now  analyzed  with  the  reconfiguration  suggestions  made 
in  the  previous  section.  The  probabilities  of  occurrence  have  been  changed, 
while  the  baseline  error  rates  have  remained  the  same. 

Factor  I  has  been  improved  by  a  QA  /  QC  focus  on  training  in  FEA  mesh 
definition  (Figure  9.48).  Users  will  be  much  less  likely  to  define  problematic 
mesh,  either  by  ignorance  or  mistake,  and  will  also  be  more  likely  to  catch  er¬ 
rors  in  mesh  definition. 


Error  in  Mesh 
Compatibility  (10  -3; 

V  N 

0.9 

Error  due  to 
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0.75  Error  due  to 

lx  10-4 

P  (Error,  Ignorance) 

|  anps 

2.5  x  10  -5 
P  (Error,  Slips) 


Figure  9.48  -  Factor  I  system  evaluation 


216 


Chapter  9  Examples:  Qualitative  &  Quantitative  Analyses 

Factor  II  would  experience  improvement  through  a  design  organiza¬ 
tion-wide  education  and  training  in  the  proper  use  and  application  of  FEA 
(Figure  9.49).  Once  the  approximations  and  assumptions  inherent  in  FEA  are 
widely  known,  users  will  be  less  likely  to  rely  on  it  completely,  and  more  verifi¬ 
cation  will  be  done,  thereby  lowering  the  likelihood  of  errors  in  realistic  model¬ 
ing. 


Figure  9.49  -  Factor  II  re-configured  system  evaluation 


Factor  III  would  be  improved  by  QA  /  QC  efforts  focusing  on  proper  ele¬ 
ment  sizing  of  details  and  a  set  of  established  guidelines  for  FEA  usage  (Figure 
9.50).  An  effort  in  hiring  QA  /  QC  to  focus  on  engineers  knowledgeable  in  first 
principles  would  also  reduce  error  probabilities,  as  misleading  stress  concen¬ 
trations  could  be  recognized. 


Figure  9.50  -  Factor  III  re-configured  system  evaluation 
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Factor  IV  would  benefit  in  the  same  ways  as  Factor  III  from  improved 
QA  /  QC  efforts  in  training  and  hiring,  as  well  as  from  standard  FEA  usage 
guidelines  (Figure  9.51). 
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Training) 


Figure  9.51  -  Factor  IV  re-configured  system  evaluation 


Observations  -  Quantitative  Analysis 

Table  9.8  summarizes  the  results  from  the  original  and  revised  system 
evaluations.  In  the  original  FEA  design  system,  each  of  the  four  categories  of 
HOE  have  about  the  same  likelihood  of  occurrence.  In  the  original  system,  the 
total  probability  of  an  significant  error  in  the  FEA  during  the  design  of  the  CSD 
is  equal  to  3  E-3. 

Each  of  the  four  HOE  factors  can  be  substantially  improved  by  the  use  of 
QA  /  QC  measures  and  design  organizational  training  in  the  applications  and 
limitations  of  FEA.  The  reduction  in  error  likelihood  achievable  with  each  of 
the  improvements  in  the  re-configured  FEA  system  is  identified  in  Table  9.8. 
After  the  design  FEA  system  reconfiguration  and  improvements,  the  probabil¬ 
ity  of  a  significant  error  in  the  FEA  during  the  design  of  the  CSD  is  equal  to  5 
E-4.  The  improvements  in  the  FEA  CSD  design  system  result  in  about  an  80  % 
reduction  in  the  likelihood  of  a  major  error. 

Factor  II  would  probably  be  the  most  important  element  to  concentrate 
improvement  efforts  on,  as  it  has  the  widest-reaching  effects.  Concentrating 
QA  /  QC  efforts  on  training  in  the  proper  use  of  FEA,  establishing  clear  guide¬ 
lines  for  FEA  usage,  and  changing  the  organizational  stance  towards  FEA  us¬ 
age  would  lessen  the  probability  of  an  error  occurring  in  FEA  use. 
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Table  9.8  -  Summary  of  results  from  Example  2 


IF  ACTOR  I  :  MESH  COMPATIBILITY 

Baseline  Error  Rate 

1.00E-03 

As  Configured 

As  Re-configured 

P  Ignorance 

0.50 

0.10 

P  Slips 

0.50 

0.25 

P  Error  -  Ignorance 

5.00E-04 

1.00E-04 

P  Error  -  Slips 

2.50E-04 

2.50E-05 

Total  P  Error 

7.50E-04 

1.25E-04 

Net  Change 

83% 

FACTOR  H  :  DIMENSIONALITY 

Baseline  Error  Rate 

1.00E-03 

As  Configured 

As  Re-configured 

P Ignorance 

0.50 

0.10 

P  Error  -  Ignorance 

5.00E-04 

1.00E-04 

Total  P  Error 

5.00E-04 

1.00E-04 

Net  Change 

80% 

FACTOR  m  :  ELEMENT  SIZING 

Baseline  Error  Rate 

1.00E-03 

As  Configured 

As  Re-configured 

P  Ignorance 

0.50 

0.10 

P  Selection  and  Training 

0.50 

0.25 

P  Error  -  Ignorance 

5.00E-04 

1.00E-04 

P  Error  -  Selection 

2.50E-04 

2.50E-05 

Total  P  Error 

7.50E-04 

1.25E-04 

Net  Change 

83% 

FACTOR  IV  :  LINEAR  ANALYSIS 

Baseline  Error  Rate 

1.00E-03 

As  Configured 

As  Re-configured 

P Ignorance 

0.50 

0.10 

P  Selection  and  Training 

0.50 

0.25 

P  Error  -  Ignorance 

5.00E-04 

1.00E-04 

P  Error  -  Selection 

2.50E-04 

2.50E-05 

Total  P  Error 

7.50E-04 

1.25E-04 

Net  Change 

83%  | 

These  results  are  consistent  with  those  identified  by  the  ISSC  study  cited 
earlier  [Sumi,  1994].  The  following  quotation  is  from  the  Conclusions  of  that 
study: 

"Some  specific  guidance  on  how  and  where  stresses  are  to  be  cal¬ 
culated  would  improve  consistency  in  results.  This  should  be  in¬ 
cluded  in  finite  element  guidelines.  Results  from  this  study  are 
believed  to  be  what  is  expected  in  current  finite  element  analysis 
and  point  to  a  need  for  a  more  well  defined  unified  approach  for 
finite  element  analysis  of  ship  structures.  This  is  particularly 
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important  when  the  consequences  of  differences  in  stress  are  con¬ 
sidered  in  fatigue  analysis  where  the  differences  are  multiplied 
several  times." 


Summary 


This  chapter  has  presented  examples  of  qualitative  and  quantitative  as¬ 
sessments  of  the  quality  characteristics  associated  with  design  of  marine 
structures.  Two  of  the  examples  have  focused  on  design  of  CSD  in  commercial 
tankers. 

The  purpose  of  these  examples  has  been  to  illustrate  how  HOE  analyses 
can  be  performed  to  identify  weak  links  and  critical  flaws  in  the  design  pro¬ 
cesses.  The  purpose  of  this  identification  is  to  then  allow  the  assessment  of 
how  best  to  improve  the  processes  so  that  the  desired  quality  /  reliability  is 
achieved. 

The  purpose  of  these  analyses  is  to  produce  insights  in  how  quality  in 
ship  structures  might  best  be  improved  and  to  promote  communications 
among  those  responsible  for  the  quality  of  ship  structures.  The  purpose  of  the 
analyses  is  to  encourage  a  comprehensive  evaluation  of  the  "system"  including 
its  human,  organization,  hardware,  procedure,  and  environmental  aspects. 

The  purpose  of  these  analyses  is  not  to  produce  numbers  nor  to  promote 
paralysis  by  analysis.  The  purpose  of  these  analyses  is  not  to  take  power  from 
those  responsible  for  the  quality  of  ship  structures.  Rather,  it  is  to  better  em¬ 
power  them  to  improve  the  quality  of  ship  structures  how,  where,  and  when  it 
is  needed.  Results  from  the  analyses  are  intended  to  help  identify  where  and 
how  best  to  use  limited  resources  to  improve  quality. 

The  fundamental  problem  in  improving  quality  is  not  knowing  what  to 
do.  The  fundamental  problem  is  not  doing  what  we  know  we  should  not  do. 

The  next  chapter  in  this  report  will  summarize  what  has  been  learned 
during  this  project  about  how  best  to  promote  quality  in  the  design  of  the  ship 
structure,  particularly  as  it  is  applied  to  the  SSC  reliability  based  ship  design 
procedures  development  efforts. 
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Introduction 


The  objective  of  this  chapter  is  to  summarize  the  previous  developments 
documented  in  this  report  in  the  form  of  general  guidelines  that  can  be  used  to 
improve  the  quality  of  ship  structures  during  the  design  process.  The  guide¬ 
lines  are  focused  human  error  control  and  management  before  and  during  the 
design  process.  The  objective  of  this  control  and  management  is  to  help  assure 
that  a  defined  level  of  quality  is  achieved  with  a  given  reliability. 

These  guidelines  are  cast  in  the  framework  of  development  of  a  new  ship 
structure  design  process  that  is  based  on  a  Loading  and  Resistance  Factor 
Design  (LRFD)  format  [Mansour,  et  al.  1993].  The  ship  structure  LRFD 
guidelines  are  being  developed  under  the  auspices  of  the  SSC  as  part  of  a  long¬ 
term  research  and  development  effort. 


Overview 


This  project  has  identified  five 
primary  interactive  and  related  compo¬ 
nents  that  are  involved  in  the  human  factor 
related  aspects  of  achieving  acceptable 
quality  in  design  of  ship  structures  (Figure 
10.1): 


1)  individuals  (members  of  the  design 
team), 

2)  organizations  (functional  and 
administrative  structures), 

3)  procedures  (ways  of  doing  things), 

4)  systems  /  hardware  (physical 
equipment,  facilities,  structures), 
and 

5)  environments  (complex  of  climatic 
and  biotic  factors;  aggregate  of  so¬ 
cial  and  cultural  conditions). 


pi 

111 

Isa 


Figure  10.1  -  Human 
performance  factors 
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Reason  [1990]  suggested  that  latent  problems  with  insufficient  quality 
(failures,  accidents)  in  technical  systems  are  similar  to  diseases  in  the  human 
body: 


"Latent  failures  in  technical  systems  are  analogous  to  resident 
pathogens  in  the  human  body  which  combine  with  local  trigger¬ 
ing  factors  (i.e.,  life  stresses,  toxic  chemicals  and  the  like)  to  over¬ 
come  the  immune  system  and  produce  disease.  Like  cancers  and 
cardiovascular  disorders,  accidents  in  defended  systems  do  not 
arise  from  single  causes.  They  occur  because  of  the  adverse  con¬ 
junction  of  several  factors,  each  one  necessary  but  not  sufficient  to 
breach  the  defenses.  As  in  the  case  of  the  human  body,  all  techni¬ 
cal  systems  will  have  some  pathogens  lying  dormant  within 
them." 

Reason  [1992]  developed  eight  assertions  regarding  error  tolerance  in 
complex  systems  in  the  context  of  ships  and  aircraft: 

1)  The  likelihood  of  an  accident  is  a  function  of  the  number  of  pathogens 
within  the  system. 

2)  The  more  complex  and  opaque  the  system,  the  more  pathogens  it  will 
contain. 

3)  Simpler,  less  well-defended  systems  need  fewer  pathogens  to  bring 
about  an  accident. 

4)  The  higher  a  person's  position  within  the  decision-making  structure 
of  the  organization,  the  greater  is  his  or  her  potential  for  spawning 
pathogens. 

5)  Local  pathogens  or  accident  triggers  are  hard  to  anticipate. 

6)  Resident  pathogens  can  be  identified  proactively,  given  adequate  ac¬ 
cess  and  system  knowledge. 

7)  Efforts  directed  at  identifying  and  neutralizing  pathogens  are  likely  to 
have  more  safety  benefits  than  those  directed  at  minimizing  active 
failures. 

8)  Establish  diagnostic  tests  and  signs,  analogous  to  white  cell  counts 
and  blood  pressure,  that  give  indications  of  the  health  or  morbidity  of 
a  high  hazard  technical  system. 

During  this  project  and  during  the  six  years  of  research  that  has  been 
associated  with  this  project,  a  large  number  of  cases  have  been  studied  in  de¬ 
tail  in  which  errors  made  during  and  in  the  design  of  the  marine  structure 
lead  to  the  "failure"  (lower  than  desired  quality)  of  the  structure.  Several  of 
these  case  histories  have  been  detailed  in  Chapters  6,  7,  and  8.  Table  10.1 
summarizes  the  key  "causes"  of  these  failures. 
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The  single  dominant  cause  of 
structure  design  related  failures  has 
been  errors  committed,  contributed, 
and  /  or  compounded  by  the 
organizations  that  were  involved  in 
and  with  the  designs.  At  the  core  of 
many  of  these  organization  based 
errors  was  a  culture  that  did  not 
promote  quality  in  the  design  process. 

The  culture  and  the  organizations  did 
not  provide  the  incentives,  values, 
standards,  goals,  resources,  and 
controls  that  were  required  to  achieve 
adequate  quality. 

Loss  of  corporate  memory  also 
has  been  involved  in  many  cases  of 
structure  failures.  The  painful 
lessons  of  the  past  were  lost  and  the 
lessons  were  repeated  with  generally 
even  more  painful  results. 

The  second  leading  cause  of 
structure  failures  is  associated  with 
the  individuals  that  comprise  the 
design  team.  Errors  of  omission  and 
commission,  violations 
(circumventions),  mistakes,  rejection 
of  information,  and  incorrect 
transmission  of  information 
(communications)  have  been 
dominant  causes  of  failures.  Lack  of 
adequate  training,  time,  and  teamwork  or  back-up  (insufficient  redundancy) 
has  been  responsible  for  not  catching  and  correcting  many  of  these  errors. 

The  third  leading  cause  of  structure  failures  has  been  errors  embedded 
in  procedures.  Traditional  and  established  ways  of  doing  things  when  applied 
to  structures  and  systems  that  "push  the  envelope"  have  resulted  in  a  multi¬ 
tude  of  structure  failures.  There  are  many  cases  where  such  errors  have  been 
embedded  in  design  guidelines  and  codes  and  in  computer  software  used  in 
design.  Newly  developed,  advanced,  and  frequently  very  complex  design  tech¬ 
nology  applied  in  development  of  design  procedures  and  design  of  marine 
structures  has  not  been  sufficiently  "debugged"  and  failures  (compromises  in 
quality)  have  resulted. 

In  general,  designer  hardware  and  designer  environments  have  not 
played  major  roles  in  the  majority  of  structure  design  failure  cases.  The  ap¬ 
plication  of  modern  building  science  and  ergonomics  in  the  work  place  have 
been  responsible  for  this  condition. 


Table  10.1  -  Key  causes  of  structure 
design  related  failures 


*  new  or  complex  design  guidelines 
and  specifications 

*  new  or  unusual  materials 

*  new  or  unusual  types  of  loading 

*  new  or  unusual  types  of  struc¬ 
tures 

'  new  or  complex  computer  pro¬ 
grams 

»  limited  qualifications  and  experi¬ 
ence  of  engineering  personnel 
'  poor  organization  and  manage¬ 
ment  of 

engineering  personnel 
'  insufficient  research,  develop¬ 
ment  and  testing  background 

*  major  extrapolations  of  past  engi¬ 
neering  experience 

1  poor  financial  climate,  initial  cost 
cutting 

*  poor  quality  incentives  and  quality 
control  procedures 

1  insufficient  time,  materials,  pro¬ 
cedures,  and  hardware 
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Based  on  the  study  of  non-marine  structure  failures  summarized  in 
Chapter  5,  it  is  obvious  that  the  same  types  and  ordering  of  factors  have  been 
involved  in  failures  of  onshore  structures.  The  marine  and  the  ship  structure 
design  fields  are  not  unique  in  this  aspect. 

Another  important  concept  has  developed  from  these  failure  cases.  This 
concept  is  that  making  the  structures  stronger  or  utilizing  larger  factors  of 
safety  in  its  design  is  not  an  effective  or  efficient  way  to  achieve  sufficient  and 
desirable  quality  in  the  structures.  Resources  are  best  focused  at  the  sources  of 
the  quality  problem  which  in  this  case  are  the  humans  involved  in  the  struc¬ 
ture  design  activities. 

This  is  not  to  say  that  one  should  not  consider  the  human  aspects  di¬ 
rectly  in  the  structure  design  procedures  and  processes.  Human  errors  will 
occur  during  design,  construction,  and  operations.  One  key  objective  of  the  de¬ 
sign  process  should  be  to  make  the  ship  structure  so  that  it  can  better  tolerate 
such  errors  and  the  defects  and  damage  that  it  brings  with  it.  This  is  design 
for  "robustness."  This  is  design  to  minimize  the  effects  of  inevitable  human 
error  (fault  tolerance). 

Another  key  objective  of  the  design  process  should  be  to  make  the  ship 
structure  not  invite  or  promote  human  errors.  This  is  the  development  of  de¬ 
sign  procedures  and  processes  that  will  promote  quality  in  the  work  to  be  per¬ 
formed  by  designers,  constructors,  and  operators  of  ship  structures  (fault 
avoidance).  The  design  process  should  promote  detection  and  removal  of  er¬ 
rors  throughout  the  life-cycle  of  the  ship  structure  (fault  detection  and  re¬ 
moval). 

This  insight  indicates  the  priorities  of  where  one  should  devote  attention 
and  resources  if  one  is  interested  in  improving  and  assuring  sufficient  quality 
in  the  design  of  ship  structures: 

1)  organizations  (administrative  and  functional  structures), 

2)  individuals  (the  design  team),  and 

3)  procedures  (the  design  processes  and  guidelines). 

This  ordering  will  form  the  outline  for  the  remainder  of  this  chapter. 
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Quality  in  Design  Organizations 


Even  though  it  may  be  the  most  important,  the  organization  aspects  of 
ship  structure  design  quality  are  perhaps  the  most  difficult  to  define,  evaluate, 
and  modify.  Because  of  their  pervasive  importance  in  determining  the  quality 
which  is  achieved  in  the  design  of  ship  structures,  some  critical  aspects  of 
quality  in  design  organizations  will  be  addressed  in  this  section. 

The  ship  structure  design  process  should  be  viewed  in  the  context  of  the 
multiplicity  of  organizations  that  influence  the  quality  of  that  process.  The  or¬ 
ganizations  and  their  activities  form  a  "mega-system"  [Wenk,  1986]  that 
should  be  recognized  and  addressed.  These  mega-systems  and  their  organiza¬ 
tional  components  must  be  understood  as  "organisms,  living  systems  that  re¬ 
late  to  each  other." 

In  Chapter  7,  the  section  on  Organization  Responsibilities  attempted  to 
identify  the  major  components  of  this  mega-system  and  their  associated  re¬ 
sponsibilities. 

The  implementation  of  TQM  in  design  organizations  is  a  current  exam¬ 
ple  of  efforts  directed  at  the  organization  aspects  associated  with  design  of  ship 
structures.  Chapter  2  of  this  report  has  summarized  the  foundations  of  TQM 
and  defined  how  the  ISO  design  Quality  Standards  can  compliment  the  gen¬ 
eral  efforts  to  achieve  quality  in  design  organizations. 

Critical  flaws  to  avoid  in  implementing  these  approaches  is  development 
of  "minimum  compliance  mentalities"  and  making  them  an  unnecessarily 
burdensome  "paper  chase". 

Studies  of  HRO  (High  Reliability  Organizations)  [Roberts,  et  al.,  1989- 
1994]  has  shed  some  light  on  the  factors  that  contribute  to  risk  mitigation  in 
HRO  [Roberts,  1992].  HRO  are  those  organizations  that  have  operated  nearly 
"error  free"  over  long  periods  of  time.  A  variety  of  HRO  ranging  from  the  U.  S. 
Navy  nuclear  aircraft  carriers  to  the  Federal  Aviation  Administration  Air 
Traffic  Control  System  have  been  studied. 

The  HRO  research  has  been  directed  to  define  what  these  organizations 
do  to  reduce  the  probabilities  of  serious  errors  [Roberts,  1989].  Reduction  in 
error  occurrence  is  accomplished  by  the  following: 

1)  command  by  exception  or  negation, 

2)  redundancy, 

3)  procedures  and  rules, 

4)  training, 

5)  appropriate  rewards  and  punishment 

6)  the  ability  of  management  to  "see  the  big  picture". 
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Command  by  exception  (management  by  exception)  refers  to  manage¬ 
ment  activity  in  which  authority  is  pushed  to  the  lower  levels  of  the  organiza¬ 
tion  by  managers  who  constantly  monitor  the  behavior  of  their  subordinates. 
Decision  making  responsibility  is  allowed  to  migrate  to  the  persons  with  the 
most  expertise  to  make  the  decision  when  unfamiliar  situations  arise 
(employee  empowerment). 

Redundancy  involves  people,  procedures,  and  hardware.  It  involves 
numerous  individuals  who  serve  as  redundant  decision  makers.  There  are 
multiple  hardware  components  that  will  permit  the  system  to  function  when 
one  of  the  components  fails. 

Procedures  that  are  correct,  accurate,  complete,  well  organized,  well 
documented,  and  are  not  excessively  complex  are  an  important  part  of  HRO. 
Adherence  to  the  rules  is  emphasized  as  a  way  to  prevent  errors,  unless  the 
rules  themselves  contribute  to  error. 

HRO  develop  constant  and  high  quality  programs  of  training.  Training 
in  the  conduct  of  normal  and  abnormal  activities  is  mandatory  to  avoid  errors. 
Establishment  of  appropriate  rewards  and  punishment  that  are  consistent 
with  the  organizational  goals  is  critical. 

Lastly,  Roberts  [1992]  defines  HRO  organizational  structure  as  one  that 
allows  key  decision  makers  to  understand  the  big  picture.  These  decision 
makers  with  the  big  picture  perceive  the  important  developing  EDA,  properly 
integrate  them,  and  then  develop  high  reliability  responses. 

In  recent  organizational  research  reported  by  Roberts  and  Libuser 
[1994],  they  analyzed  five  prominent  failures  including  the  Chernobyl  nuclear 
power  plant,  the  grounding  of  the  Exxon  Valdez,  the  Bhopal  chemical  plant 
gas  leak,  the  mis-grinding  of  the  Hubble  Telescope  mirror,  and  the  explosion  of 
the  space  shuttle  Challenger.  These  failures  were  evaluated  in  the  context  of 
five  hypotheses  that  defined  "risk  mitigating  and  non-risk  mitigating"  or¬ 
ganizations.  The  failures  provided  support  for  the  following  five  hypotheses. 

1)  Risk  mitigating  organizations  will  have  extensive  process  auditing 
procedures.  Process  auditing  is  an  established  system  for  ongoing 
checks  designed  to  spot  expected  as  well  as  unexpected  safety  problems. 
Safety  drills  would  be  included  in  this  category  as  would  be  equipment 
testing.  Follow  ups  on  problems  revealed  in  prior  audits  are  a  critical 
part  of  this  function. 

2)  Risk  mitigating  organizations  will  have  reward  systems  that  encour¬ 
age  risk  mitigating  behavior  on  the  part  of  the  organization,  its  mem¬ 
bers,  and  constituents.  The  reward  system  is  the  payoff  that  an  individ¬ 
ual  or  organization  gets  for  behaving  one  way  or  another.  It  is  con¬ 
cerned  with  reducing  risky  behavior. 
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3)  Risk  mitigating  organizations  will  have  quality  standards  that  meet 
or  exceed  the  referent  standard  of  quality  in  the  industry. 

4)  Risk  mitigating  organizations  will  correctly  assess  the  risk  associated 
with  the  given  problem  or  situation.  Two  elements  of  risk  perception  are 
involved.  One  is  whether  or  not  there  was  any  knowledge  that  risk  ex¬ 
isted  at  all.  The  second  is  if  there  was  knowledge  that  risk  existed,  the 
extent  to  which  it  was  acknowledged  appropriately  or  minimized. 

5)  Risk  mitigating  organizations  will  have  a  strong  command  and  con¬ 
trol  system  consisting  of  five  elements:  a)  migrating  decision  making,  b) 
redundancy,  c)  rules  and  procedures,  d)  training,  and  e)  senior  man¬ 
agement  has  the  big  picture. 


In  conclusion,  the  foregoing 
TQM,  ISO,  and  HRO  strategies  and 
risk  mitigating  measures  are 
intended  to  develop  a  level  of  ship 
structure  design  organizational 
quality  and  reliability  that  will  be 
desirable  and  acceptable. 
Organizational  trust  and  integrity 
are  key  aspects  [Wilson,  1992]. 
These  measures  are  intended  to 
reduce  the  likelihoods  of  the 
categories  of  organizational  errors 
identified  in  Figure  10.2  to 
acceptable  and  desirable  levels. 
Responsibilities  for  implementation 
of  these  measures  have  been 
defined  in  Chapter  7  Table  7.5. 


Figure  10.2  -  Sources  of  organization 
errors 
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Quality  in  Design  Teams 


This  section  will  address  the 
activities  of  the  individuals  that 
are  directly  responsible  for  the 
design  of  ship  structures.  The 
activities  of  these  individuals  will 
be  placed  in  the  context  of  the 
structure  design  "team." 

Errors  on  the  part  of  the 
individuals  have  been  classified 
into  the  eight  categories  identified 
in  Figure  10.3.  As  indicated  in 
Figure  10.4,  these  errors  can 
potentially  affect  any  or  all  of  the 
five  major  components  that 
comprise  the  ship  design  process. 
There  are  two  primary  lines  of 
defense  to  prevent  and  /  or  detect 
and  correct  individual  errors.  The 
first  line  of  defense  is  centered  in 
the  individuals  performing  the 
design  analyses;  the  design  team. 
The  second  line  of  defense  is 
identified  as  QA  /  QC.  These  are 
activities  of  those  outside  the  de¬ 
sign  team. 


First  Line  of  Defense 

The  first  line  of  defense  is 
associated  with  prevention  and 
minimization  of  errors  made  and 
not  corrected  by  the  individuals 


Human  Error  Classification 


Communications 

transmission  of  information 

1  -  -  —  —  — 

Slips 

accidental  lapses 


_ Violations 

Infringement,  transgression 

_ Ignorance 

unawamess,  unlearned 


Planning  &  Preparation 

program,  procedures,  readiness 

Selection  &  Training 

suited,  educated,  practiced 
Limitations  &  Impairment 

fatigue,  stressed,  dlmished  senses 

_ Mistakes _ 

cognitive  errors 


Figure  10.3  -  Causes  of  individual  human 


errors 


to  construction 


not  corrected  by  the  individuals  Figure  10.4  -  Human  factor  influences  in 
that  perform  the  design  processes.  the  ship  structure  design  process 
The  quality  of  the  structural 
design  is  a  direct  function  of  the 

quality  of  the  design  team  that  performs  the  design.  Table  10.2  summarizes 
the  key  factors  that  are  need  to  be  addressed  to  develop  a  high  reliability  ship 
structure  design  team.  Many  of  these  factors  relate  directly  to  the  attributes  of 
HRO  and  risk  mitigating  organizations. 
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Table  10.2  -  Key  factors  in  development  of  a  high  reliability  ship  structure 

design  team 


Communications 

Procedures 

Information  evaluation 

Personnel  selection 

Organization 

Distributed  decision 

Training 

Leadership 

making 

Planning 

Monitoring 

Appropriate  operation 

Preparations 

Information  seeking, 

strategies 

Discipline 

observations 

Quality  incentives  and 

Quality  resources 

Controlling 

rewards 

Past  problems  associated  with  design  of  marine  structures  indicates 
that  effective  communications,  personnel  selection,  training,  provision  ade¬ 
quate  resources  to  achieve  the  desired  quality,  and  provision  of  quality  incen¬ 
tives  and  rewards  are  essential  elements  that  determine  the  frequency  and  in¬ 
tensity  of  human  factor  related  problems  in  structure  design. 

Communications  has  been  identified  as  a  major  human  factors  problem 
in  many  other  individual  and  team  situations.  The  way  in  which  information 
is  presented,  information  distortion  (biasing),  and  the  formatting  of  the  infor¬ 
mation  can  have  dramatic  affects  on  the  effectiveness  of  the  communications 
within  the  design  team. 

The  two  examples  that  addressed  ship  structure  design  problems  clearly 
identified  personnel  selection  and  training  as  key  issues.  Personnel 
performance  characteristics  need  to  be  matched  to  the  job  to  be  done.  Attention 
to  the  details  of  normal  and  unique  structural  requirements  is  an  essential 
performance  characteristics  needed  in  structural  designers. 

Training  of  design  personnel  must  also  match  the  job  to  be  done.  To  en¬ 
hance  the  performance  of  a  specific  task,  the  more  repetition  that  occurs,  then 
the  lower  the  likelihood  of  error.  To  enhance  problem  solving,  experience  in  a 
variety  of  tasks  is  needed. 

Training  of  design  personnel  will  be  particularly  important  as  an  LRFD 
ship  structure  design  process  is  implemented.  There  will  be  a  loss  of  "feel" 
during  the  early  phases  of  applying  such  a  new  design  process.  If  errors  are 
to  be  prevented  or  caught  and  corrected,  this  intuitive  feel  must  be  quickly  re¬ 
established  in  those  that  will  apply  the  new  guidelines. 

Training  of  design  personnel  to  understand  the  effects  of  biases  and 
heuristics  on  their  decisions  is  important.  Decision  makers  involved  in  the 
design  of  complex  structural  systems  need  to  be  taught  about  confirmation 
bias;  the  tendency  to  seek  new  information  that  supports  one's  currently  held 
belief  and  to  ignore  or  minimize  the  importance  of  information  that  may  sup¬ 
port  an  alternative  belief.  Rigidities  in  perceptions,  ignoring  potentially  criti- 
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cal  flaws  in  complex  situations,  rejection  of  information,  and  minimizing  the 
potentials  for  errors  or  flaws  result  from  confirmation  bias. 

While  not  a  panacea,  the  importance  of  continued  and  effective  training 
of  ship  structure  designers  can  not  be  over-emphasized,  particularly  as  a  new 
ship  structure  LRFD  design  guideline  is  implemented  into  practice. 

A  very  important  aspect  of  minimizing  designer  error  regards  team 
work.  Team-work  on  the  front  lines  of  the  design  process  can  provide  a  large 
measure  of  internal  QA  /  QC  during  these  operations  [Huey,  Wickens,  1993]. 
Team-work  can  be  responsible  for  interrupting  potentially  serious  and  com¬ 
pounding  sequences  of  events  that  have  not  been  anticipated.  It  is  such  team¬ 
work  that  is  largely  responsible  for  "near  misses."  And,  it  is  for  this  reason 
that  there  are  many  more  near  misses  than  there  are  accidents. 

As  a  result  of  his  work  on  human  errors  in  the  design  of  non-marine 
structures,  Melchers  [1987]  identified  seven  strategies  that  can  be  used  to 
manage  the  occurrence  and  effects  of  such  errors: 

1)  Education  -  on-the-job  and  continuing  professional  education. 

2)  Work  Environment  -  open-minded  goal-oriented. 

3)  Complexity  reduction  -  simplification  of  complex  design  tasks. 

4)  Personnel  selection  -  the  skills  and  abilities  of  the  team  members 
must  be  appropriate  for  the  type  of  design  to  be  performed. 

5)  Self-checking  -  alertness  to  spot  and  correct  significant  errors  made  by 
the  individuals  performing  the  design  process. 

6)  External-checking  -  provision  of  independent  reviews  to  detect  signifi¬ 
cant  errors  not  detected  by  the  design  team. 

7)  Legal  sanctions  -  deterrence  or  sanctions  to  inhibit  negligence  and  de¬ 
liberate  malpractice  (violations). 

Addressing  the  last  strategy,  Melchers  observed  [1986]: 

"There  is  evidence  to  suggest  that  sanctions  may  well  be  effective 
for  premeditated  crime  but  that  in  general  the  effect  is  likely  to  be 
most  pronounced  on  those  least  likely  to  be  involved.  It  is  reason¬ 
able  to  suggest  that  few  engineers  premeditate  to  perpetrate  er¬ 
rors,  so  that  the  most  likely  result  of  excessive  threat  of  legal  sanc¬ 
tion  is  inefficiency,  over-caution,  and  conservatism  in  the  execu¬ 
tion  of  work. " 


Second  Line  of  Defense 

QA  /  QC  in  structure  design  have  been  discussed  in  Chapter  7,  evalua¬ 
tions  of  their  effects  discussed  in  Chapter  8,  and  illustrations  of  how  they  can 
improve  the  quality  of  marine  structures  developed  in  Chapter  9.  Formalized 
methods  of  QA  /  QC  take  into  account  the  need  to  develop  the  full  range  of  qual¬ 
ity  attributes  in  the  ship  structure  including  serviceability,  safety,  durability, 
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and  compatibility.  These  attributes  have  been  defined  and  discussed  in 
Chapters  1  and  2. 

QA  /  QC  measures  are  focused  both  on  error  prevention  and  error  detec¬ 
tion  and  correction.  There  can  be  a  real  danger  in  excessively  formalized  QA  / 
QC  processes.  If  not  properly  managed,  they  can  lead  to  self-defeating 
generation  of  paperwork,  waste  of  scarce  resources  that  can  be  devoted  to  QA  / 
QC,  and  a  minimum  compliance  mentality. 

In  design,  adequate  QC  (detection,  correction)  can  play  a  vital  role  in  as¬ 
suring  the  desired  quality  is  achieved  in  a  marine  structure.  Independent, 
third-party  verification,  if  properly  directed  and  motivated,  can  be  extremely 
valuable  in  disclosing  embedded  errors  committed  during  the  design  process. 

In  many  problems  involving  insufficient  quality  in  marine  structures, 
these  embedded  errors  have  been  centered  in  fundamental  assumptions  re¬ 
garding  the  design  conditions  and  constraints  and  in  the  determination  of 
loadings.  These  embedded  errors  can  be  institutionalized  in  the  form  of  design 
codes,  guidelines,  and  specifications. 

It  takes  an  experienced  outside  viewpoint  to  detect  and  then  urge  the 
correction  of  such  embedded  errors.  The  design  organization  must  be  such 
that  identification  of  potential  major  problems  is  encouraged;  the  incentives 
and  rewards  for  such  detection  need  to  be  provided. 

It  is  important  to  understand  that  adequate  correction  does  not  always 
follow  detection  of  an  important  or  significant  error  in  design  of  a  structure. 
Again,  QA  /  QC  processes  need  to  adequately  provide  for  correction  after  detec¬ 
tion.  Potential  significant  problems  that  can  degrade  the  quality  of  a  structure 
need  to  be  recognized  at  the  outset  of  the  design  process  and  measures  provided 
to  solve  these  problems  if  they  occur. 

Knoll's  study  of  structure  design  errors  and  the  effectiveness  of  QA  /  QC 
activities  in  detecting  and  correcting  such  errors  lead  to  the  checking  strate¬ 
gies  summarized  in  Table  10.3  [1986]. 
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Table  10.3  -  Design  QA  /  QC  Strategies 


•WHAT  TO  CHECK? 

-  high  likelihood  of  error  parts  (e.g.  as¬ 
sumptions,  loadings,  documentation) 

-  high  consequence  of  error  parts 

•  WHEN TO  CHECK? 

-  before  design  starts  (verify  process, 
qualify  team) 

-  during  concept  development 

-  periodically  during  remainder  of  pro¬ 
cess 

-  after  design  documentation  completed 


•  HOW  TO  CHECK? 

-  direct  toward  the  important  parts  of  the 
structure  (error  intolerant) 

-  be  independent  from  circumstances 
which  lead  to  generation  of  the  design 

-  use  qualified  and  experienced  engineers 

-  provide  sufficient  QA  /  QC  resources 

-  assure  constructability  and  IMR 

•  WHO  TO  CHECK? 

-  the  organizations  most  prone  to  errors 

-  the  design  teams  most  prone  to  errors 

-  the  individuals  most  prone  to  errors 


The  structure  design  checking  studies  performed  by  Knoll  [1986],  the  se¬ 
ries  of  studies  performed  by  Melchers  and  Stewart  [1987-1990],  and  the  studies 
performed  during  this  project  on  marine  structures  indicate  that  there  is  one 
part  of  the  design  process  that  is  particularly  prone  to  errors  committed  by  the 
design  team.  That  part  of  the  process  is  the  one  that  deals  with  the  definition 
of  design  loadings  that  are  imposed  on  and  induced  in  the  structure.  This 
recognition  has  several  implications  with  regard  to  managing  HOE  in  design. 

The  first  implication  regards  the  loading  analysis  procedures  them¬ 
selves.  This  implication  will  be  further  detailed  and  discussed  in  the  next  sec¬ 
tion  of  this  chapter. 

The  second  implication  regards  the  education  and  training  of  structure 
design  engineers  in  the  development  and  performance  of  loading  analyses. 
Given  the  complexities  associated  with  performing  loading  analyses,  the  com¬ 
plexities  associated  with  the  loading  processes  and  conditions,  and  the  close 
coupling  between  the  structure  response  and  the  loading  environment,  it  is  lit¬ 
tle  wonder  that  loading  analyses  are  probably  the  single  largest  source  of 
structure  design  errors.  What  is  somewhat  disturbing  is  that  many  designers 
of  marine  structures  do  not  understand  these  complexities  nor  have  been 
taught  how  to  properly  address  them  in  structure  design. 

Again,  given  the  development  of  an  LRFD  ship  design  process  that  will 
involve  new  "loading  factors"  and  new  loading  combinations  associated  with 
these  factors  [Mansour,  Thayamballi,  1994],  training  of  ship  structure  design 
engineers  will  be  particularly  important.  This  training  requirement  will  be 
made  even  more  critical  as  advanced  Dynamic  Loading  Analyses  (DLA) 

[Chen,  et  al.,  1993]  are  implemented  in  very  sophisticated  computer  based  sys¬ 
tems  such  as  the  ABS  SafeHull  System  [Chen,  et  al.,  1993].  The  potential  for 
"radar  assisted  collisions"  cited  in  the  previous  chapter  should  be  recognized 
and  measures  put  in  place  to  prevent  such  occurrences. 
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It  is  noteworthy  that  formalized  procedures  have  been  developed  for  the 
QA/  QC  process  in  software  developments  [Barnes,  et  al.,  1993;  ISO,  1987; 
Thompson,  1993;  National  Agency  for  Finite  Elements  and  Standards,  1990], 
These  procedures  need  to  be  understood  and  implemented  to  avoid  embedding 
serious  flaws  in  ship  design  software. 

The  third  implication  regards  the  need  for  independent  (of  the  situations 
that  potentially  create  errors),  third-party  QA  and  QC  "checking"  measures 
that  are  an  integral  part  of  the  ship  structure  design  process.  This  checking 
should  start  with  the  basic  tools  (guidelines,  codes,  programs)  of  the  structure 
design  process  to  assure  that  "standardized  errors"  have  not  been  embedded  in 
the  tools.  The  checking  should  extend  through  the  major  phases  of  the  design 
process,  with  a  particular  attention  given  to  the  loading  analysis  portions  of 
that  process. 

The  intensity  and  extent  of  the  design  checking  process  needs  to  be 
matched  to  the  particular  design  situation.  Repetitive  designs  that  have  been 
adequately  "tested"  in  operations  to  demonstrate  that  they  have  the  requisite 
quality  do  not  need  to  be  verified  and  checked  as  closely  as  those  that  are  "first- 
offs"  and  "new  designs"  that  may  push  the  boundaries  of  current  technology. 


Quality  in  Design  Procedures 


A  specific  objective  of  this  project  has  been  to  address  whether  or  not 
HOE  should  be  reflected  in  structure  design  procedures  and  criteria. 
Specifically,  this  objective  was  directed  at  the  development  of  a  new  LRFD  pro¬ 
cedure  for  ship  structures. 

A  clear  conclusion  from  this  project  is  that  HOE  should  be  reflected  in 
the  new  LRFD  structure  design  procedures  and  criteria.  This  then  leads  to  the 
question  of  how  it  should  be  reflected. 

The  results  of  this  project  indicates  that  there  are  three  major  ways  in 
which  considerations  of  HOE  should  be  reflected  in  ship  structure  design  pro¬ 
cedures.  The  first  two  ways  have  been  discussed  in  the  preceding  sections. 

The  third  way  is  directed  at  helping  achieve  adequate  and  acceptable 
quality  in  the  design  procedures  and  processes  themselves.  The  results  from 
this  project  indicates  that  there  are  three  strategies  that  should  be  considered: 

•  Strategy  1  -  QA  /  QC  the  design  procedures  and  processes  (fault  avoid¬ 
ance), 

•  Strategy  2  -  QA  /  QC  is  integrated  as  a  requirement  directly  in  the  de¬ 
sign  procedures  and  processes  (fault  detection  and  correction),  and 
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•  Strategy  3  -  Measures  are  introduced  into  the  design  procedures  and 
processes  that  will  minimize  the  effects  of  HOE  on  the  quality  of  the 
ship  structure  (fault  tolerance). 


Strategy  1 

In  Chapter  3,  several  examples  were  developed  to  illustrate  how  errors 
that  could  lead  to  unacceptable  or  undesirable  quality  in  ship  structures  could 
become  embedded  in  the  development  of  an  LRFD  guideline,  or  any  guideline 
for  that  matter.  The  currently  popular  "calibration"  approach  to  assure  that 
LRFD  and  the  "old"  WSD  procedures  develop  comparable  or  the  same  results 
does  not  assure  that  ship  structure  quality  objectives  are  met.  Rather,  it  im¬ 
plies  that  the  same  quality  problems  inherent  in  the  old  WSD  procedure  are 
translated  into  the  LRFD  procedure. 

The  author  has  participated  for  more  than  25  years  in  the  development 
of  design  guidelines  for  offshore  platforms,  including  both  WSD  and  LRFD  de¬ 
velopments  in  the  U.  S.  and  overseas.  Development  of  a  design  code  or  guide¬ 
line  is  no  simple  undertaking.  Not  only  is  complex  technology  involved,  but  as 
well  complex  organization  and  political  issues  are  involved.  In  the  struggle  to 
develop  the  technical  and  organizational  consensus  that  should  be  represented 
in  a  design  code,  technical  completeness,  correctness,  and  crispness  can  be 
compromised. 

In  one  of  these  developments,  an  objective  that  was  defined  in  the  devel¬ 
opment  of  the  LRFD  guideline  was  to  achieve  "a  more  efficient  structure"  by 
balancing  the  reliabilities  of  the  elements  that  comprised  the  structure.  To  the 
LRFD  developers,  it  did  not  make  sense  that  some  components  in  the  structure 
should  have  very  low  probabilities  of  failure  while  other  components  had  much 
higher  probabilities  of  failure.  It  was  only  after  the  need  for  damage  and  defect 
tolerance  (robustness)  in  the  structure  was  recognized,  that  the  need  for 
"unbalanced"  design  became  apparent.  This  recognition  not  only  influenced 
the  design  processes  to  assure  adequate  strength  (capacity)  in  the  structure, 
but  as  well  its  ductility  and  fatigue  durability  characteristics.  Recognition  of 
the  needs  for  "fail-safe"  design  of  the  structures  had  major  effects  on  the  LRFD 
developments. 

Current  experience  indicates  that  if  not  properly  developed  and 
documented,  a  design  guideline  can  enhance  the  likelihood  of  significant 
errors  being  made  by  even  experienced  structural  designers.  These  errors  can 
lead  to  important  compromises  in  the  intended  quality  of  the  structure.  The 
errors  arise  primarily  because  of  the  dramatically  increased  complexity  of  the 
design  guideline,  its  similarly  increased  "opaqueness"  (frequently  caused  by 
associated  computer  software),  and  the  lack  of  sufficient  training. 

Research  has  shown  that  the  difficulty  of  a  particular  task  is  influenced 
by  five  primary  factors  [Huey,  Wickens,  1993]: 
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Figure  10.5 
procedures 


Causes  of  errors  in 


Table  10.4  -  Structure  analysis 
procedure  quality 
characteristics 


1)  structure  of  the  task, 

2)  task  goals  and  performance  criteria, 

3)  quality,  format  and  modality  of 

information, 

4)  cognitive  processing  required,  and 

5)  characteristics  of  the  input  /  output 

devices. 

The  more  difficult  a  task  is  made, 
then  the  more  likely  that  there  will  be 
errors.  Those  charged  with  development 
of  ship  structure  design  guidelines  should 
be  sensitized  to  these  factors.  Design 
guidelines  should  be  developed  that  will 
minimize  the  difficulty  of  the  tasks  to  be 
performed  and  thereby  enhance  the 
likelihood  of  high  quality  design  results. 

In  the  first  strategy,  the  results  of 
this  project  suggest  that  a  thorough  and 
independent,  third-party  QA  /  QC  system 
should  be  defined  and  implemented 
during  the  development  of  an  LRFD  ship 
structure  design  procedure.  The  QA  /  QC 
process  should  parallel  the  development  of 
the  LRFD  guidelines.  Due  to  the 
importance  of  such  a  procedure,  as  much 
effort  should  be  devoted  to  QA  /  QC  as  is 
devoted  to  the  LRFD  development  itself. 

This  first  strategy  has  two  primary 
objectives: 

1)  help  assure  technical  correctness, 
accuracy,  and  completeness,  and 

2)  eliminate  unnecessary  complexity,  poor  organization,  and  ineffective 
documentation  in  the  guidelines. 

A  procedures  related  classification  of  errors  has  been  developed  during 
this  project  and  is  shown  in  Figure  10.5.  In  the  last  example  developed  in 
Chapter  9,  a  qualitative  profiling  instrument  that  addressed  the  quality  aspects 
of  a  structure  design  procedure  was  proposed.  The  attributes  of  this  in¬ 
strument  are  summarized  in  Table  10.4. 


Accuracy  /  Correctness 


Consistency 


Input  Practicality 


Output  Clarity 


Compatibility  /  Simplicity 


Intuitive  Verification 


First  Principles  Verification 
Empirical  Verification 


Procedures  Organization  / 
Documentation 
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It  should  be  one  of  the  functions  of  the  first  strategy  to  enhance  the 
quality  of  the  design  guideline  as  much  as  is  reasonable  or  warranted.  The 
objective  is  to  help  minimize  design  team  errors  that  are  caused  by  errors  due 
to  procedures  and  processes. 

In  the  first  Strategy,  the  qualitative  and  quantitative  methods  developed 
and  illustrated  during  this  project  should  be  implemented  into  specific  parts  of 
the  LRFD  design  guideline  to  identify  the  specific  parts  of  the  guideline  that 
should  receive  additional  attention.  This  project  has  resulted  in  definition  of 
technology  that  can  be  used  to  help  improve  the  quality  of  the  LRFD  guidelines. 
It  should  be  used. 


Strategy  2 

The  second  strategy  is  to  embody  QA  /  QC  directly  and  explicitly  into  the 
design  guideline.  In  this  case,  requirements  for  assuring  adequate  quality  in 
the  designers  are  spelled  out.  Checking  procedures  are  defined  that  are  ap¬ 
propriate  for  the  particular  ship  structure.  Explicit  provisions  are  made  for 
the  correction  of  errors  committed  during  the  design  process. 

The  qualitative  and  quantitative  methods  developed  and  illustrated  dim¬ 
ing  this  project  should  be  implemented  into  specific  parts  of  the  LRFD  design 
guideline  to  identify  the  specific  parts  of  the  guideline  that  should  subject  to  QA 
/  QC. 


Design  procedure  QA  /  QC  approaches  have  been  discussed  in  Chapter 
7.  The  essence  of  the  approaches  is  summarized  in  Table  10.3.  Of  particular 
importance  is  the  guiding  principle  of  checking  "high  likelihood  of  error 
parts"  such  as  loading  analyses,  and  checking  "high  consequences  of  error 
parts"  of  the  design  process  such  as  design  documentation. 

Also  of  importance  is  the  need  to  be  independent  from  the  circumstances 
which  lead  to  the  generation  of  the  design.  This  refers  directly  to  the  need  for 
independent,  third-party  verification  to  disclose  embedded  errors  and  flaws  in 
the  design.  Research  and  experience  both  indicate  that  given  that  it  is  done 
properly,  third  party  verification  is  the  most  effective  way  to  detect  potential 
problems  in  the  structure  design  process. 

In  the  author's  experience  as  a  marine  structure  designer,  as  a  man¬ 
ager  of  marine  engineering  design  groups,  and  as  a  third  party  verification 
agent  for  a  wide  variety  of  marine  structures  (spanning  40  years),  it  unusual 
that  any  serious  checking  of  the  structure  design  is  performed.  Checking,  QA 
/  QC,  and  verification  of  the  structure  design  are  more  what  we  should  do  than 
what  we  actually  do.  This  is  satisfactory  when  the  designs  are  evolutionary, 
the  design  processes  well  established  and  proven,  the  system  is  highly  forgiv¬ 
ing,  and  experienced  engineers  are  at  the  helm  of  the  design  team.  This  is  not 
satisfactory  when  the  designs  are  revolutionary,  the  procedures  are  not  well 
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established  and  proven,  the  system  is  not  forgiving,  and  experienced  engineers 
are  not  at  the  helm  of  the  design  team. 

Recently,  the  author  has  been  involved  in  investigation  of  the  failure  of  a 
major  offshore  platform.  The  failure  occurred  during  installation  of  the 
platform.  The  roots  of  the  failure  were  imbedded  in  a  design  flaw;  a  failure  to 
address  a  critical  phase  of  the  platform  installation. 

The  design  process  involved  extensive  QA  /  QC.  Throughout  the  design 
phase,  there  was  a  concerted  effort  to  involve  the  constructor  with  the  design 
team.  Weekly  meetings  were  held  to  identify,  discuss,  and  resolve  design  and 
construction  problems.  There  was  extensive  QA  /  QC  documentation.  A 
leading  Classification  Society  performed  "independent"  design  and 
construction  reviews.  Throughout  the  project,  technical  representatives  from 
several  major  oil  companies  also  performed  design  reviews. 

Given  the  extensive  QA  /  QC  measures,  the  question  was:  how  and  why 
did  the  critical  flaw  slip  through?  It  is  noteworthy  that  one  engineer 
apparently  did  identify  the  potential  critical  flaw.  To  this  engineer,  "it  didn't 
look  right".  But,  the  groups'  consideration  of  the  potential  critical  flaw  did  not 
confirm  that  it  was  any  problem.  As  one  engineer  involved  in  the  checking  put 
it:  "no  one  could  prove  that  there  was  a  problem".  The  group  was  concerned 
with  other  potentially  more  serious  problems,  and  in  the  end,  the  concern  for 
the  potential  problem  was  dismissed.  In  addition,  toward  the  conclusion  of  the 
design  phase,  there  were  substantial  pressures  to  complete  the  work  on  time 
and  on  budget.  Worry  about  "unimportant"  details  had  to  be  surrendered. 

Could  the  critical  flaw  have  been  detected  before  the  accident? 
Examination  of  the  evidence  by  a  group  of  experts  clearly  identified  that  the 
flaw  could  have  been  detected.  Close  study  of  the  of  the  evidence  indicates  that 
the  flaw  was  missed  for  three  primary  reasons.  The  first  reason  was  diversion 
of  attention  to  "more  important  problems."  A  high  consequence  factor  was  not 
addressed.  The  second  reason  was  that  the  verification  and  checking  that  was 
performed  was  not  "independent"  from  the  circumstances  that  resulted  in  the 
critical  flaw.  The  attention  of  the  checking  efforts  was  diverted  just  as  the 
attention  of  the  design  and  construction  efforts  were  diverted.  The  third 
reason  was  the  pressure  to  complete  the  work  on  time  and  on  budget. 

Sufficient  resources  could  not  be  made  available  to  solve  the  problem  even 
though  the  potential  problem  could  be  relatively  easily  and  cheaply  solved. 

This  experience  points  out  the  importance  of  truly  independent, 
experienced,  and  thorough  verification  of  potentially  high  consequence  design 
"details"  (Table  10.3).  The  cost  of  such  verification  and  the  preventative 
measures  would  have  been  much  cheaper  than  the  costs  of  solving  the 
construction  problem.  Every  dollar  invested  in  prevention  could  have  saved 
approximately  2,000  dollars  in  cure.  Not  many  business  investments  have 
such  an  attractive  cost  -  benefit  ratio. 
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Note  in  Table  10.4  the  design  procedure  quality  attributes  of  intuitive, 
first  principles,  and  empirical  verifications  in  a  design  procedure.  Intuitive 
verifications  are  derived  from  the  designer  "feel"  cited  earlier.  Such  feel  is 
based  on  adequate  experience  with  the  design  procedures  and  analyses.  This 
feel  is  responsible  for  a  majority  of  quality  problems  that  are  detected  and  cor¬ 
rected  (design  near  misses). 

First  principles  verification  is  needed  so  that  complexity  is  not  allowed  to 
over-shadow  realism.  This  means  first  that  design  engineers  need  to  be  well 
trained  in  these  first  principles,  and  second,  that  the  design  process  must  al¬ 
low  and  encourage  their  use  in  verifying  the  results  from  the  process. 

Experience  has  indicated  that  results  from  simplified  methods  that 
employ  first  principles  can  play  an  important  role  in  identifying  problems  in 
results  from  complex  methods.  Yet,  there  is  often  little  "respect"  given  to  such 
methods  by  engineers.  They  feel  that  complex  methods  are  more  reliable  and 
give  more  realistic  results.  Simplified  methods  can  not  be  expected  to  develop 
the  details  developed  by  complex  methods.  However,  sophistication  in 
analytical  design  methods  does  not  assure  either  reliability  or  realism  in 
results.  There  is  an  important  need  to  further  develop  simplified  design 
methods  that  can  be  used  to  help  verify  the  fundamental  results  from  complex 
design  analyses. 

Empirical  or  experimental  verification  is  needed  because  of  the  inherent 
inadequacies  and  limitations  of  most  engineering  analytical  procedures  when 
applied  to  design  of  ship  structures.  This  is  particularly  true  when  it  comes  to 
loading  analyses,  but  it  also  applies  to  most  structure  analyses.  The  question 
is  the  extent  of  experimental  verification  that  is  required.  This  becomes  a 
problem  in  trading  off  the  costs  involved  in  providing  the  verification  versus 
the  costs  involved  when  insufficient  quality  is  obtained  due  to  the  lack  of  the 
verification. 

The  LRFD  design  guideline  should  encourage  the  use  of  all  three  verifi¬ 
cation  procedures  as  warranted.  Particular  emphasis  should  be  given  to  the 
requirements  for  independent,  experienced,  and  thorough  verification  of  "new 
designs"  of  ship  structures. 


Strategy  3 

The  third  strategy  that  should  be  incorporated  directly  into  the  design 
guidelines  and  their  development  regards  design  of  the  structure  to  be  tolerant 
or  forgiving  of  human  errors.  These  human  errors  can  and  probably  will  oc¬ 
cur  in  design,  construction  and  operation  of  a  ship  structure;  even  one  that 
has  been  designed  by  the  most  advanced  technology  available  today. 

It  is  rare  to  find  explicit  structure  design  guidelines  that  address  the 
need  for  obtaining  human  error  tolerance  in  the  life-cycle  of  any  type  of  struc¬ 
ture.  Some  have  begun  to  appear,  but  more  work  is  needed  to  develop  such 
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guidelines.  This  is  one  of  the  most  important  areas  for  marine  structures  re¬ 
search. 

The  results  of  the  MSIP  project  [Bea,  1993]  indicated  that  there  were  four 
general  approaches  that  should  be  considered  in  developing  human  error  tol¬ 
erant  structure  design  guidelines.  These  were  design  for: 

1)  damage  or  defect  tolerance  (robustness), 

2)  constructabilty, 

3)  inspectability,  and 

4)  maintainability  and  repairability. 

The  first  approach  is  focused  on  providing  fault  tolerance  in  the  ship 
structure  system.  The  last  three  approaches  are  focused  on  providing  fault 
avoidance,  detection,  and  removal  in  the  ship  design  process. 

Structure  robustness  can  be  achieved  with  a  combination  of  redundancy, 
ductility,  and  excess  capacity  in  the  structure  system.  Robustness  implies 
much  more  than  redundancy  (degree  of  indeterminacy)  [Das,  Garside,  1991]. 
Fail-safe  design  is  one  aspect  of  this  approach  [Bea,  1992]. 

Robustness  needs  to  be  placed  in  those  areas  of  the  ship  structure  that 
have  high  probabilities  of  damage  or  defects  and  high  consequences  associated 
with  such  damage  or  defects.  Such  an  approach  has  been  used  recently  in  de¬ 
sign  of  several  major  offshore  platforms  [Bea,  1994c].  The  approach  had  major 
effects  on  the  configuration  of  the  structures. 

Design  for  constructability  is  focused  on  configuration  and  proportion¬ 
ing  the  structure  to  promote  /  facilitate  high  quality  materials,  cutting  and 
forming,  and  assembly.  Design  for  inspectability  is  focused  on  the  same  struc¬ 
ture  design  activities,  but  this  time  the  objective  is  to  maximize  the  inspectabil¬ 
ity  of  the  ship  structure  during  its  operation.  Design  for  maintainabilty  and 
reparability  is  meant  to  direct  the  structure  design  engineers  attention  to  the 
long-term  life-cycle  phase  of  the  ship  structure.  Corrosion  management  and 
buckling  and  fracture  repairs  are  key  issues. 

All  of  these  design  approaches  are  intended  to  minimize  the  incidence  of 
and  effects  of  human  errors  that  can  occur  in  design,  construction,  and  opera¬ 
tion  of  a  ship  structure. 

Explicit  design  guidelines  should  be  developed  that  will  adequately  ad¬ 
dress  the  four  major  quality  attributes  of  the  ship  structure  including  service¬ 
ability,  safety,  durability,  and  compatibility.  In  addition,  structure  design 
guidelines  need  to  be  developed  that  will  address  the  constraints  and  issues 
associated  with  potential  damage  and  defects  in  the  structure,  its  construction, 
its  inspection,  and  its  maintenance  and  repair. 
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Summary _ 


This  chapter  has  addressed  the  question  of  whether  or  not  consideration 
of  HOE  should  be  integrated  into  development  of  the  new  LRFD  ship  structure 
design  procedure  being  developed  under  the  auspices  of  the  SSC.  The  answer 
is  yes,  consideration  of  HOE  should  be  integrated  into  this  procedure. 

This  chapter  has  addressed  three  ways  in  which  such  considerations 
might  be  developed.  These  include  organizational  measures,  design  team 
(individuals)  measures,  and  design  procedure  measures. 

Perhaps  of  primary  importance  to  the  future  SSC  efforts  are  the  design 
procedure  measures.  Three  strategies  have  been  suggested  that  involve: 

•  QA  /  QC  of  the  design  procedures  (fault  avoidance), 

•  QA  /  QC  required  as  an  integral  part  of  the  design  procedures  (fault 
detection  and  removal),  and 

•  LRFD  design  procedures  intended  to  minimize  the  occurrence  of  and 
effects  of  HOE  (fault  tolerance). 

In  a  review  of  the  processes  used  by  the  U.  S.  Coast  Guard  in  certifying 
the  safety  of  marine  vessels  and  structures,  a  committee  of  the  Marine  Board 
of  the  National  Academy  of  Engineering  made  the  following  recommendations 
[Committee  on  Assuring  the  Safety  of  Innovative  Marine  Structures,  1991]: 

•  Personnel  and  staffing  -  broad  based  mix  of  technical  expertise  and 
practical  experience  in  a  professional  working  environment. 

•  Polices  and  Practices  on  the  Use  of  Third  Parties  -  use  outside  exper¬ 
tise  and  assistance  as  needed  including  collaboration  with  ABS. 

•  Development  of  Technical  Criteria  -  procedures  for  establishing  tech¬ 
nical  criteria  for  certification,  development  of  a  searchable  and  retriev¬ 
able  data  base  of  applications,  reviews,  and  decisions. 

•  Lessons  to  be  Learned  from  Other  Agencies  -  examine  the  FAA  and 
NRC  data  retrieval  and  feedback  systems  for  applicability,  consider  the 
use  of  expert  panels  in  the  review  process. 

•  Emerging  Technologies  -  keep  abreast  of  an  understand  the  implica¬ 
tions  and  applications  of  new  and  emerging  technologies  to  the  certifica¬ 
tion  process,  risk  and  reliability  engineering  is  one  example. 

These  recommendations  are  embodied  in  the  findings  from  this  project 
and  the  associated  previous  MSIP  project  [Bea,  1993]. 
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Introduction 


This  chapter  identifies  high  priority  developments  that  are  suggested  as 
future  SSC  sponsored  efforts.  These  developments  are  essential  if  the 
background  developed  during  this  project  is  to  be  applied  in  efforts  to  improve 
the  quality  of  the  design  of  ship  structures. 

The  following  parts  of  this  chapter  will  address  future  developments  in 
ship  structure  design  in  two  general  categories: 

•  LRFD  design  guidelines,  and 

•  HOE  evaluation  qualitative  and  quantitative  methods. 


LRFD  Design  Guidelines 


This  project  explored  the  implications  of  HOE  as  they  related  to  devel¬ 
opment  of  a  probability  based  LRFD  guideline  for  ship  structures.  The  study 
concluded  that  the  improved  management  of  HOE  in  the  design  guidelines 
should  be  developed  using  two  approaches: 

1)  Quality  Assurance  and  Quality  Control  (QA  /  QC)  in  the  development 
of  the  design  guideline  and  incorporated  explicitly  into  the  guideline. 

2)  Provision  of  design  guidelines  to  help  assure  defect  and  damage  toler¬ 
ance  in  the  structure  and  to  promote  constructability,  and  IMR. 

These  two  approaches  are  intended  to  help  prevent  design  errors,  im¬ 
prove  the  detection  and  correction  of  errors,  and  develop  a  structure  that  will 
have  sufficient  tolerance  of  errors. 
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This  conclusion  suggests  four  SSC  sponsored  efforts  that  are  intended  to 
recognize  and  help  better  manage  HOE  in  an  LRFD  guideline  for  ship 
structures: 

1)  QA  /  QC  of  the  design  guideline  during  its  development, 

2)  Development  of  QA  /  QC  provisions  that  would  be  incorporated  into  the 
design  guideline, 

3)  Development  of  design  guidelines  to  assure  adequate  robustness  in  the 
ship  structure,  and 

4)  Development  of  design  guidelines  to  assure  adequate  constructability, 
inspectability,  maintainability,  and  repairability  in  the  ship  structure. 

The  majority  of  the  required  engineering  and  QA  /  QC  technology  exists 
to  help  accomplish  each  of  these  efforts.  The  SSC  has  sponsored  much  of  the 
research  and  development  that  has  resulted  in  this  technology. 

Background  needs  to  be  assembled  from  the  marine  and  non-marine 
fields,  work  performed  to  "fill  in  the  blanks"  in  the  technology,  and  the  results 
focused  in  development  of  practical  ship  structure  design  guidelines. 

These  developments  should  be  thoroughly  tested  in  demonstration  ef¬ 
forts  that  will  help  assure  that  the  provisions,  guidelines,  and  procedures  are 
practical. 


Qualitative  and  Quantitative  Methods 


The  results  of  this  project  indicate  that  there  is  a  wealth  of  technology 
available  to  allow  engineers  to  explicitly  address  HOE  in  the  design,  construc¬ 
tion,  and  operation  of  ships. 

This  technology  needs  to  be  further  developed  and  applied  if  the  profes¬ 
sion  and  industry  are  to  realize  significant  improvements  in  the  quality  of  ship 
structures.  The  results  from  this  project  have  suggested  two  primary  lines  for 
this  development: 

•  Conduct  of  symposia,  workshops,  and  meetings  on  human  and 
organization  factors  and  their  roles  in  the  quality  of  ship  structures, 

•  Further  development  and  testing  of  qualitative  and  quantitative  in¬ 
struments  methods  to  address  design  of  specific  ship  structures  in  the 
context  of  LRFD  procedures. 
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Technology  Transfer 

A  program  of  symposia,  workshops,  and  meetings  sponsored  by  the  Ship 
Structure  Committee  would  further  understanding  of  human  factors  and  their 
roles  in  the  quality  of  ship  structures.  Technology  and  experience  transfer  is  a 
primary  objective  of  this  activity.  The  program  needs  to  be  international  in 
scope. 


This  activity  would  facilitate  the  education  processes  that  must  be  un¬ 
dertaken  if  developments  such  as  are  represented  by  this  project  are  to  be  im¬ 
proved,  detailed,  tested,  and  applied.  These  symposia,  workshops,  and  meet¬ 
ings  should  involve  protagonists  and  antagonists;  researchers  and  practition¬ 
ers;  and  those  from  outside  the  engineering  disciplines  that  have  expertise  in 
human  factors  related  technologies. 


Development  of  HOE  Evaluation  Procedures 

This  project  has  resulted  in  development  and  illustration  of  application 
of  qualitative  and  quantitative  methods  to  enable  engineers  to  address  HOE 
considerations  in  the  design  and  construction  of  ship  structures.  These  meth¬ 
ods  need  to  be  further  developed  as  they  can  be  applied  to  development  of  LRFD 
guidelines  for  ship  structures. 

Four  specific  SSC  sponsored  efforts  are  suggested  to  address  HOE 
considerations  in  design  and  construction  of  ship  structures: 

1)  Study  of  how  best  to  integrate  considerations  of  the  four  quality 
attributes  into  a  ship  structure  design  guideline. 

2)  Identification  of  the  critical  parts  of  the  ship  structure  design  pro¬ 
cesses,  and  evaluation  of  how  QA  /  QC  procedures  might  best  be 
deployed  in  the  processes. 

3)  Study  of  where  and  how  robustness  (defect  tolerance)  and  fail-safe 
design  should  be  integrated  into  the  ship  structure  and  the  design 
guidelines. 

4)  Continued  development  of  the  qualitative,  quantitative,  and  mixed 
HOE  evaluation  approaches  defined  during  this  project  are  needed  as 
they  would  be  applied  to  specific  LRFD  design  guideline  and  design 
processes.  The  mixed,  Safety  Indexing  Method  (Appendix  C), 
approach  requires  development  and  testing  as  applied  to  the  LRFD 
design  guideline  and  design  process.  Development,  testing,  and 
practical  demonstrations  of  computer  software  to  facilitate  per¬ 
forming  the  quantitative  and  mixed  HOE  alternatives  evaluations  is 
needed. 
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Summary 


Future  SSC  sponsored  efforts  have  been  defined  to  apply  the  results  from 
this  project  in  improving  the  quality  of  what  is  integrated  into  a  ship  structure 
design  guideline.  These  efforts  address  the  following  HOE  considerations: 


•  technical  aspects  of  ship  structure  design  (e.  g.  defect  and  damage 
tolerance), 

•  development  of  ship  structure  design  guidelines  (e.  g.  QA  /  QC  in  the 
design  process), 

•  development  of  qualitative  and  quantitative  methods  to  address  HOE 
management  alternatives  in  ship  structure  design,  and 

•  education  in  how  human,  organization,  procedure,  and  hardware 
factors  can  affect  the  quality  of  ship  structures. 
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Summary 


Quality  is  freedom  from  unanticipated  defects.  Quality  is  fitness  for 
purpose.  Quality  is  meeting  the  requirements  of  those  that  own,  operate,  de¬ 
sign,  construct,  and  regulate  ship  structures.  These  requirements  include 
those  of  serviceability,  safety,  compatibility,  and  durability. 

There  are  three  primary  aspects  that  should  be  addressed  in  achieving 
quality  in  ship  structures:  designers,  constructors,  and  operators  of  the 
structure  (humans),  the  groups  that  are  responsible  for  the  management  of 
the  systems  (organizations),  and  the  physical  elements  (system  including 
structure,  hardware,  and  software).  A  thorough  understanding  of  ship 
structure  "systems"  indicates  that  there  literally  are  no  separate  parts.  There 
are  only  relationships  and  interactions.  This  understanding  is  at  substantial 
variance  with  the  historical  separation  and  compartmentation  of  ship 
structure  design,  construction,  and  operation. 

High  consequence  compromises  in  quality  of  ship  structures  result  from 
a  multiplicity  or  compounding  sequence  of  break-downs  in  the  human,  orga¬ 
nization,  and  system;  often  there  are  "precursors"  or  early  warning  indica¬ 
tions  of  the  break-downs  that  are  not  recognized  or  ignored. 

The  physical  components  of  "systems"  are  generally  the  easiest  of  the 
three  components  to  address;  design  for  human  tolerances  and  capabilities 
(ergonomics),  provision  of  redundancy  and  damage  /  defect  tolerance,  and  ef¬ 
fective  early  warning  systems  that  provide  adequate  time  and  alerts  so  that 
systems  can  be  brought  under  control  are  examples  of  potential  measures. 
Error  inducing  systems  are  characterized  by  complexity,  close  coupling,  latent 
flaws,  small  tolerances,  severe  demands,  and  false  alarms. 

Humans  are  more  complex  in  that  error  states  can  be  developed  by  a 
very  wide  series  of  individual  characteristics  and  "states"  including  fatigue, 
negligence,  ignorance,  greed,  folly,  wishful  thinking,  mischief,  laziness,  ex¬ 
cessive  use  of  drugs,  bad  judgment,  carelessness,  physical  limitations,  bore¬ 
dom,  and  inadequate  training.  External  (to  the  system)  and  internal  (in  the 
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system)  environmental  factors  such  as  adverse  weather,  darkness,  smoke, 
heat  provide  additional  influences. 

Selection  (determination  of  abilities  to  handle  the  job),  training 
(particularly  crisis  management),  licensing,  discipline,  verification  and 
checking,  and  job  design  provide  avenues  to  improve  the  performance  of  front¬ 
line  operators.  The  formation  of  motivated  and  cohesive  design  and 
construction  "teams"  can  do  much  to  improve  the  quality  of  ship  structures. 

While  the  human  and  system  aspects  are  very  important,  the  organiza¬ 
tion  aspects  frequently  have  over-riding  influences.  Corporate  "cultures"  fo¬ 
cused  on  production  at  the  expense  of  quality,  ineffective  and  stifled  communi¬ 
cations,  ineffective  commitment  and  resources  provided  to  achieve  quality,  ex¬ 
cessive  time  and  profit  pressures,  conflicting  corporate  objectives,  and  counter¬ 
quality  and  integrity  incentives  are  often  present  in  "low  reliability" 
organizations.  Generally,  these  aspects  are  the  most  difficult  to  address. 
Experience  indicates  that  high  reliability  organizations  tend  to  improve,  while 
low  reliability  organizations  do  not  improve  rapidly,  if  at  all. 

The  most  important  part  of  the  HOE  evaluation  process  is  qualitative;  a 
realistic  and  detailed  understanding  of  the  human,  organization,  and  system 
aspects  and  potential  interactions  must  underlie  the  entire  process. 
Quantitative  aspects  provide  an  important  framework  in  which  to  evaluate  the 
potential  effectiveness  of  proposed  "fixes"  and  to  examine  the  detailed  interac¬ 
tions  of  human,  organization,  and  system  components. 

The  results  from  this  project  indicate  that  we  should  change  our 
thinking  away  from  a  concept  of  ship  structure  systems  as  elements, 
components,  and  separate  structures  and  understand  them  as  integrated 
systems  that  intimately  involve  individual  and  collective  (organizations) 
human  beings.  We  need  to  understand  these  systems  as  organisms,  living 
systems,  that  can  harbor  latent  pathogens  [Reason,  1991]. 

There  is  no  ship  structure  design  and  construction  quality  database  that 
can  be  relied  upon  to  give  accurate  quantitative  indications  of  the  frequencies  of 
contributors  to  unacceptable  quality;  in  the  case  of  specific  accident  scenarios, 
existing  databases  frequently  give  misleading  indications  of  causes  and 
consequences.  Complex  interactions  are  frequently  not  determined  or  lost  in 
the  reporting.  Study  of  past  high  consequence  accidents  can  provide  important 
insights  into  the  complex  interactions  of  humans,  organizations,  and  systems 
and  can  provide  the  basis  for  development  of  generic  "templates"  for  evaluation 
of  other  similar  systems.  Study  of  "near  misses"  can  show  how  potentially 
catastrophic  sequences  of  actions  and  events  can  be  interrupted  and  brought 
under  control.  There  is  no  generally  available  database  or  archiving  system 
for  "near  miss"  information.  This  state  of  affairs  needs  to  be  improved;  such 
databases  need  to  be  developed  and  there  are  existing  models  for  such 
developments. 
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An  adequate  and  understandable,  but  complex,  quantitative  analysis 
system  exists  to  assist  evaluations  of  HOE.  PRA  has  proven  to  be  able  to  show 
the  complex  interactions  and  influences  and  efficiently  produce  quantitative 
indices  that  can  indicate  the  effectiveness  of  alternative  HOE  "fixes."  Because 
of  the  lack  of  accurate  and  definitive  objective  data  to  serve  as  input  to  such 
quantitative  models,  structured  "index"  models  have  been  developed  to  allow 
encoding  subjective  judgment  into  the  evaluation  of  probabilities.  More  work  is 
needed  to  develop  both  the  qualitative  and  quantitative  methods  so  that  they  can 
be  applied  to  improve  the  quality  of  ship  structures. 

The  primary  objective  of  QA  /  QC  assessments  and  HOE  evaluations 
should  not  be  to  produce  numbers.  The  primary  objective  of  the  assessments 
should  be  to  provide  a  disciplined  and  structured  framework  that  is  able  to 
produce  insights  and  information  that  can  lead  to  improvements  in  QA  /  QC 
activities  to  achieve  desirable  quality  in  ship  structures.  Prediction  is  not  the 
objective  of  this  effort.  Improvement  in  quality  is  the  objective.  The  analyses 
should  be  performed  to  provide  the  insights  that  can  help  define  how  best  to 
develop  acceptable  and  desirable  quality  in  ship  structures. 

Some  of  the  parameters  and  variances,  and  in  many  cases,  the  very 
important  ones  can  not  be  quantified  with  a  high  degree  of  reliability.  In  most 
cases,  these  are  the  parameters  and  variances  that  address  the  inter¬ 
relationships  of  individuals  and  organizations.  Perhaps  the  most  important 
figures  that  one  needs  for  quality  management  and  quality  engineering  are 
unknown  or  unknowable. 

To  take  any  action  with  a  ship  structure  design,  construction,  or 
operation  system  without  an  intimate  and  thorough  knowledge  of  that  system 
is  "tampering."  Deep  knowledge  of  a  system  includes  a  detailed 
understanding  of  the  system,  an  understanding  of  qualitative  and  quantitative 
evaluations,  a  knowledge  of  psychology  (individuals,  organizations),  and  an 
understanding  of  the  limitations  of  our  abilities  to  describe  and  analyze 
complex  systems.  Without  a  deep  knowledge  of  the  system,  one  can  be 
seriously  mislead. 


The  primary  responsibilities  for  determining  and  achieving  desirable 
and  acceptable  quality  in  ship  structures  rests  with  the  owner  and  operator  of 
the  ship.  The  owner  and  operations  segments  play  a  pivotal  role  in  the 
organization  for  quality.  The  owner  and  operator  are  substantially  responsible 
for  the  quality  of  any  ship.  They  are  responsible  for  establishing  the  system 
requirements  and  objectives  and  communicating  them  to  the  other 
organizations.  The  owner  /  operator  is  responsible  for  consideration  of  the 
relationships  of  cost  and  performance  and  function. 


The  regulatory  authorities  should  be  responsible  and  accountable  for 
definition  and  verification  of  compliance  with  the  goals  and  policies  of  accept¬ 
able  quality  in  ship  structures. 
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Classification  authorities  should  be  responsible  and  accountable  for 
development  of  classification  rules  that  will  guide  and  verify  design, 
construction,  and  operation  of  acceptable  quality  ship  structures  that  meet 
regulatory  and  owner  requirements.  Surveying  during  the  construction  and 
operational  phases  is  an  essential  part  of  this  responsibility.  Independent 
third-party  verification  of  designs  is  another  essential  component. 

The  manufacturers  of  ship  structures  should  be  responsible  for 
designing  and  producing  marine  structures  that  will  have  appropriate  and 
desirable  levels  of  quality. 

Specific  approaches  and  examples  have  been  developed  during  this 
project  to  illustrate  how  human  factors  might  be  integrated  into  the  ship 
structure  design  process.  This  work  needs  to  be  continued  and  extended  into 
construction  and  operation  of  ship  structures  if  we  are  to  realize  dramatic 
improvements  in  the  quality  of  these  structures. 


Conclusions 


The  author  contends  that: 

"most  engineers  are  very  uncomfortable  with  two  things: 

uncertainty,  and  people." 

The  challenges  of  design,  construction,  and  operation  of  ship  structures 
involves  both.  Neither  can  or  should  be  avoided. 

Engineers  have  much  to  learn  about  how  to  improve  their  role  and 
activities  in  helping  develop  engineered  systems  that  will  have  desirable  and 
adequate  quality.  A  vast  field  of  human  factors  related  technology  has 
developed.  The  analytical  thinking  and  processes  of  engineering  needs  to 
absorb  the  technologies  of  human  psychology,  management,  and  cognitive 
psychology. 

The  analytical  thinking  and  processes  of  engineering  need  to  shift  from 
the  objective  of  prediction  to  the  objective  of  evaluation,  assessment,  and 
improvement  of  the  processes  that  are  used  to  design,  construct,  and  operate 
ship  structures. 

If  their  work  is  to  be  meaningful,  engineers  must  learn  as  much  about 
people  as  they  presently  know  about  the  physical  and  mechanical  aspects  of  the 
elements  that  comprise  and  affect  engineered  systems.  Recognition  of  and 
education  in  human  factors  are  two  of  the  primary  obstacles  to  integration  of 
human  factors  into  engineering. 

The  historic  development  of  LRFD  guidelines  has  had  as  one  of  its 
foundation  probability  methods  that  attempt  to  address  some  of  the 
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uncertainties.  In  almost  all  cases,  this  historic  development  has  fallen  short 
of  explicitly  addressing  one  of  the  primary  sources  of  uncertainty  and  hazards 
to  quality:  people. 

Many  of  the  experienced  engineers  that  have  objected  to  probability  based 
LRFD  developments  have  objected  to  this  development  primarily  for  this 
reason.  They  sense  that  something  important  is  missing,  and  it  is.  But,  the 
same  thing  is  also  missing  from  the  more  traditional  methods.  And,  in  the 
main,  it  is  for  this  reason  that  we  are  now  recognizing  the  reasons  for  the 
majority  of  compromises  in  the  quality  of  both  marine  and  non-marine 
structures  are  firmly  rooted  in  HOE. 

This  project  has  attempted  to  start  development  of  a  bridge  between 
where  we  are  and  where  we  can  be  in  recognizing  human  factors  in  design  of 
ship  structures.  HOE  recognition  can  and  should  be  integrated  into  our  future 
developments  to  improve  the  quality  of  ship  structures.  The  basic  tools  exist. 
They  need  to  be  further  developed,  tested,  and  wisely  used. 
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ABS 

ACI 

ASCE 

CAIP 

CSD 

DOC 

DPL 

EDA 

ENR 

ETA 

FAA 

FEA 

FLAIM 

FMEA 

FTA 

GRT 

HazOps 

HESIM 

HOE 

HRA 

HRO 

HRO 

HTS 

IABSE 

I  ACS 

ICAM 

ICS 


DEFINITION  OF  ACRONYMS 


-  American  Bureau  of  Shipping 

-  American  Concrete  Institute 

-  American  Society  of  Civil  Engineers 

-  Critical  Area  Inspection  Plan 

-  Critical  Structural  Details 

-  Document  of  Compliance 

-  Decision  Programming  Language 

-  Events,  Decisions,  and  Actions 

-  Engineering  News  Record 

-  Event  Tree  Analyses 

-  Federal  Aviation  Administration 

-  Finite  Element  Analyses 

-  Fire  and  Life  safety  Assessment  Indexing  Method 

-  Failure  Mode  and  Effects  Analyses 

-  Fault  Tree  Analyses 

-  Gross  Registered  Tonnage 

-  Hazard  and  Operability  analyses 

-  Human  Error  Safety  Index  Method 

-  Human  and  Organization  Errors 

-  Human  Reliability  Analysis 

-  High  Reliability  Organization 

-  High  Reliability  Organizations 

-  High  Tensile  Steel 

-  International  Association  of  Bridge  and  Structure  Engineers 

-  International  Association  of  Classification  Societies 

-  Integrated  Computer  Aided  Manufacturing 

-  International  Chamber  of  Shipping 
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IDA 

-  Influence  Diagram  Analyses 

InDia 

-  Influence  Diagramming  (computer  program) 

IDEF 

-  ICAM  Definition  language 

IMO 

-  International  Maritime  Organization 

IMR 

-  Inspection,  Maintenance,  and  Repair 

ISM 

-  International  Safety  Management 

ISO 

-  International  Standards  Organization 

ISSC 

-  International  Ship  and  offshore  Structures  Congress 

LER 

-  Licensee  Event  Report 

LRFD 

-  Load  and  Resistance  Factor  Design 

MSIP 

-  Marine  Structural  Integrity  Programs 

NRC 

-  Nuclear  Regulatory  Commission 

NC 

-  Norwegian  Contractors 

OPA 

-  Oil  Pollution  Act 

POD 

-  Probability  of  Detection 

PRA 

-  Probabilistic  Risk  Analyses 

QA 

-  Quality  Assurance 

QC 

-  Quality  Control 

QMS 

-  Quality  Management  System 

QRA 

-  Quantified  Risk  Analyses 

SIM 

-  Safety  Index  Method 

SMC 

-  Safety  Management  Certificate 

SMS 

-  Safety  Management  System 

SOLAS 

-  Safety  of  Life  at  Sea  (Convention) 

SSC 

-  Ship  Structure  Committee 

SSIIS 

-  Ship  Structural  Integrity  Information  System 

THERP 

-  Technique  for  Human  Error  Rate  Prediction 

TQC 

-  Total  Quality  Construction 

TQE 

-  Total  Quality  Engineering 

TQM 

-  Total  Quality  Management 

TQO 

-  Total  Quality  Operations 

ULCC 

-  Ultra  Large  Crude  Carrier 

USCG 

-  United  States  Coast  Guard 

VLCC 

-  Very  Large  Crude  Carrier 

VTS 

-  Vessel  Traffic  System 

WSD 

-  Working  Stress  Design 

270 


HESIM  &  FLAIM 
SAFETY  INDEXING  METHODS 


Safety  Indexing  Methods 


Safety  Indexing  Methods  (SIM)  have  been  used  successfully  in  a  variety 
of  marine  and  non-marine  applications  as  a  means  of  identifying  potential 
quality  /  reliability  problems  and  then  identifying  means  to  improve  the 
reliability  and  quality  characteristics  of  the  systems.  SIM  represent  a  logical 
and  disciplined  way  to  bridge  the  gap  between  the  lack  of  definitive  information 
on  HOE  and  the  need  to  improve  the  quality  of  engineered  systems. 

The  core  of  these  methods  is  formed  by  professional  judgment  based  on 
qualified  experience  and  training,  historical  records,  and  in  some  cases, 
hazard  evaluation  techniques  such  as  Hazard  and  Operability  Studies 
(HazOps)  and  Event  Tree  Analyses  (ETA).  This  core  is  used  to  identify,  select, 
and  define  key  variables  that  are  risk  contributors  and  risk  mitigators.  These 
variables  are  then  combined  by  using  various  algorithms  to  yield  risk  indices 
indicative  of  the  state  of  the  system.  An  overall  risk  index  can  be  generated  to 
compare  different  facilities  and  options  to  improve  their  quality 
characteristics.  This  risk  index  can  be  calibrated  to  quantitative  quality  - 
reliability  -  probability  of  failure  evaluations.  Cost-benefit  evaluations  can  be 
based  on  the  results  from  Safety  Indexing  Methods. 

Given  accident  and  near-miss  investigations  databanks  that  are 
designed  to  supply  information  required  by  the  SIM  and  the  long-term 
implementation  of  these  reliability  databanks,  the  subjectivity  involved  in  the 
methods  can  be  gradually  replaced  by  objective  information. 

During  the  past  five  years,  two  such  methods  have  been  developed  from 
research  performed  under  the  auspices  of  the  Marine  Technology 
Development  Group  at  the  University  of  California  at  Berkeley.  One  system 
developed  during  the  Doctoral  research  performed  by  Dr.  W.  H.  Moore  was 
developed  for  the  evaluation  of  HOE  in  the  operations  of  marine  systems 
[Moore,  Bea,  1993].  This  system  is  identified  as  HESIM  -  Human  Error  Safety 
Indexing  Method. 
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The  second  method  was  developed  in  the  Doctoral  research  performed  by 
Dr.  W.  E.  Gale  Jr.  for  the  evaluation  of  HOE  in  fires  and  explosions  on  offshore 
platforms  [Gale,  Bea,  Williamson,  1993;  Gale,  et  al,  1994].  This  system  is 
identified  as  FLA1M  (Fire  and  Life  Safety  Assessment  Indexing  Method. 

Because  of  their  potential  future  applications  to  evaluations  of  HOE  in 
the  design  and  construction  of  ship  structures,  these  two  methods  are 
summarized  in  this  appendix. 


HESIM 


HESIM  was  developed  to  allow  the  encoding  of  judgment  regarding  the 
occurrence  of  HOE  in  operations  of  marine  systems  in  a  probabilistic 
framework.  HESIM  integrates  error  inducing  parameters  (error  solicitors) 
that  can  lead  to  an  operating  accident  event.  The  error  solicitors  are 
organizational,  human,  task,  system,  and  environmental  factors. 

HESIM  incorporates  error  factors  from  four  categories  of  primary 
contributors:  (1)  organizational,  (2)  human,  (3)  system,  and  (4)  the  operating 
environment.  Table  C.l  defines  the  contributing  factors  in  each  of  these 
categories. 


Table  C.l  -  Categorization  of  contributing  factors  to  HESIM 


ORGANIZATION 

HUMAN 

SYSTEM 

OPERATING 

ENVIRONMENT 

Top-level 

Management 

Stress 

Complexity 

External 

Middle  -  Front¬ 
line 

Management 

Routineness 

Internal 

Regulatory 

HESIM  is  a  consolidation  of  heuristic  approaches  and  the  development 
of  an  accident  database.  HESIM  provides  the  framework  for  development  of  an 
accident  and  near-miss  database  [Moore,  Bea,  1993].  As  detailed  accident  data 
becomes  more  available  for  particular  accident  classes,  the  risk  indices  are 
refined  to  correlate  with  the  casualty  statistics.  The  conditional  human  error 
index  is  used  as  a  quantitative  measurement  for  IDA.  It  is  not  a  probabilistic 
measure,  but  a  means  by  which  to  systematically  quantify  human  errors. 
These  measures  form  a  basis  from  which  future  error  index  refinements, 
modifications,  and  verifications  are  made  until  sufficient  data  is  available  to 
use  probabilistic  measurements. 
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Equation  C.l  is  the  generalized  equation  integrating  contributing  HOE 
factors. 


,OEj ,HF,Syst,Env,EDAq  ^ij^HEj IOEj,HF,Syst,Env,EDAq  *  ^^OEj.EDA,  ^ 

*  Slffi: ,EDAq  *  SISyst  ,EDAq  *  SIEnv  ,EDAq 

Each  safety  index  SI,  lies  between  0  and  1  and  ky  is  a  factoring  constant 
for  human  error  i  and  organizational  error  j:  0  <  SI  <  1. 

The  overall  human  error  index  is  the  quantitative  measurement  of 
human  and  organizational  errors,  human  factor,  system,  and  environmental 
factors  occurring  for  a  specified  event,  decision,  or  action.  The  overall  human 
error  safety  index  (SlHEi,OEj,HF,Env,Syst,EDAq)  is  the  product  of  five  safety 
indices: 


( 1) human  error  safety  index  (SlHEi  IOEj,HF,Env,Syst,EDAq) , 

(2)  organizational  error  index  (SIoEj,EDAq)> 

3)  human  factor  index  (SlHF,EDAq)> 

(4)  system  index  (SIsyst.EDAq),  and 

(5)  environmental  index  (SlEnv.EDAq)- 

As  shown  in  Equation  C.2,  the  measure  of  the  overall  human  error 
safety  index  is  a  weighted  frequency  of  the  factors  for  a  specified  class  of 
accidents  (e.g.  tanker  collisions  or  grounding,  offshore  production- 
maintenance  explosions,  and  fires). 


SI 


HE;  ,OEj,EDAq  ,HF,Syst,Env 


}k  -  1  ^HEj  ,OEj  ,EDAq  ,HF,Syst,Env  J 


EDAq  ,HF,Syst,Env  I 


km 


(C.2) 


$ 


HE.,MOE.EDA  ,TLM 

•  J  q 
HF,Syst,Env 


0  no  relation 

—  "low"  certainty  of  relation  between  HE.  and  MOE . 

3  1  J 

1 

—  "moderate"  certainty  of  relation  between  HE.  and  MOE^ 
1  "high"  certainty  of  relation  between  HE.  and  MOE^ 


where  k  is  the  consequence  level  of  the  casualty,  and  m  is  the  total  number  of 
operations  per  measurement  of  time  for  that  consequence  level. 

Weighted  values  are  assigned  that  depend  upon  the  certainty  of  that 
factor  being  a  contributor  to  a  casualty-near  miss  sequence.  The  error 
frequency  is  determined  by  averaging  across  the  weighted  frequencies  of  joint 
occurrences  between  the  five  categories  under  all  external  operating 
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conditions,  human  factors,  and  system  complexity.  For  each  casualty-near 
miss,  the  associated  human,  organizational,  human  factor,  system,  and 
environmental  contributor  is  defined.  The  certainty  values  are  placed  in  the 
proper  location  for  the  joint  occurrences  as  shown  in  Table  C.2. 

The  human  error  index  is  the  quantitative  measurement  of  human 
error  conditional  upon  a  set  of  organizational  errors,  human  factors,  system 
and  environmental  factors  for  a  specified  sequence  of  Events,  Decisions  and 
Actions  (EDA).  By  solving  for  the  human  error  index  of  Equation  C.l  to  arrive 
at  Equation  C.3,  one  is  able  to  use  these  values  as  quantitative  measurements 
of  human  errors  under  varying  organizational,  human  factor,  system,  and 
environmental  conditions.  Again  it  should  be  noted  that  the  human  error 
index  generated  by  this  technique  is  not  a  probability,  but  an  index  value 
conditional  upon  any  number  of  error  solicitors.  These  are  the  conditional 
safety  indices  that  are  used  in  the  IDA. 


{^^HE|IOEj,HF,Syst, Environ, EDA,  }k  ~ 


SI 


HE.  ,OE  ,,HF,Syst,Environ,EDA 

1  j  _ qjk 


(C.3) 


kjj  *  SI 

1J  OE  ,EDA 


*  SIjjp  EDA  *  si 


Syst.EDA,*  SIEnv,EDA, 


The  next  step  is  to  provide  a  methodology  for  measuring  the  safety 
indices  in  the  denominator  of  Equation  C.3.  The  organizational  error  safety 
index  (SIoEj  ,EDAq)  shown  in  Equation  C.4  is  a  measure  of  the  impact  of  top- 
level  management  upon  mid-level  management  and  operator  level 
management  errors  (MOE)  effects  upon  human  errors  (HE)  at  the  operator 
level.  A  matrix  representation  of  Equation  C.4  is  shown  in  Table  C.3.  The 
index  is  assumed  to  be  relatively  static  over  short  periods  of  time  for  an 
operation  [Reason,  1992]. 


SIOE.,EDAq  SIMOEjITLM  SIMOEj,EDAq  (C  4) 

As  shown  in  Equation  C.7,  the  organizational  error  index  is 
differentiated  into  two  categories.  First,  the  top-level  management  index 
(SlMOEj  ITLM)  measures  the  level  of  Top-Level  Management  (TLM) 
commitment  to  safety  and  resource  allocation  for  safety  measures.  The  TLM 
commitment  to  safety  and  resources  has  varying  degrees  of  impact  upon 
MOEs. 


In  Equation  C.5,  SlMOEj  l  TLM  is  the  safety  index  of  TLM's  impact 
upon  MOEj  Varying  degrees  of  impact  are  measured  by  weighing  the  impact 
of  five  TLM  factors: 
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(1)  overall  commitment  to  safety  (Qi), 

(2)  commitment  to  long  term  safety  goals  (Q2), 

(3)  cognizance  of  problems  (Q3), 

(4)  competence  to  correct  the  problem  (Q4),  and 

(5)  sufficient  resources  to  correct  problems  (Q5) 


such  that, 


SW JTLM  =  maX  ♦lA  +  *21%  +  *31%  +  *41^4  +  *51Q5* 


'si  1 

.  MOEJTLM 
v  1  /o„ 


SI 


MOE2ITLM 


=  ■max^12Q1  +  ^22Q2 


+  *32% 


+  ^42Q4 


+  <I,52Q5’ 


SI 


MOEJTLM  . 

2  /0 


f 


SIMOE.ITLM  =  Hty*l  +  ty^  +  ty^  +  ty^  +  *5jQ3' 


\ 


SIMOE.ITLM 
V  J  Jq  J 


SIMOE„ITLM  maX  ]  ^19^1  +  ^29^2  +  ^39^3  +  ^49^4  +  ^59^5’ 


SI 


MOE^  ITLM  j  j 


ct  =  1 

MOE10ITLM 


(C.5) 


where, 


J  1  if  "high"  or  "sufficient” 

=  |_1  if  "low"  or  "insufficient" 

IV 

a 


If  the  TLM  factor  is  "high"  or  "sufficient",  it  adds  to  the  safety  index, 
however  if  "low"  or  "insufficient",  it  reduces  that  safety  index.  The  weights 
can  be  thought  of  as  the  percent  of  impact  upon  MOEs  by  TLM  factors.  Since 
MOE10  represents  no  organizational  errors,  there  is  no  impact  of  TLM  on 
MOE10  thus  the  safety  index  is  unchanged. 
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for  accident  class  n,  consequence  nk»  EDAq,  human  factors,  system  factors,  and  environmental  factors 


Bole  of  Human  Error  In  Reliability  of  Marine  Structures 


bW 

oO 

es 

3 

0 

3 

0 

3$ 

3 

O 

3- 

3 

0 

5* 

O 

i-H 

3 

O 

3$ 

manning 

(MOE9) 

3 

On 

HLP 

3 

a 

S' 

On 

& 

s’ 

Jl 

ON 

3 

On 

aS 

comm/ 

info 

(MOEg) 

cr 

M 

00 

u? 

cr 

00 

CN 

4JLP 

cr 

00 

3 

00 

a* 

S' 

OO 

ax? 

5” 

00 

a$ 

operating 

policy 

(MOE7) 

3 

r- 

£ 

r- 

CN 

4JLP 

3 

r- 

5* 

3 

F 

3 

r- 

a$ 

regul/ 

policing 

(MOE*) 

& 

so 

ULP 

cr 

M 

SO 

<N 

*JLP 

cr 

<r 

& 

cr 

« 

a!? 

□r 

aS 

job  design 
(MOE5) 

1 

u? 

a5* 

to 

3 

5* 

«/■> 

a? 

S 

un 

a$ 

morale/ 

incentive 

(MOE4) 

3 

5“ 

a 

ULP 

Tf 

& 

5* 

ill? 

5* 

violation 

(MOE3) 

cr 

£ 

cr 

cn 

U-P 

«r 

cn 

JJLP 

«r 

M 

r<~> 

XLT 

3 

cn 

yJLP 

S 

cn 

NO 

ULP 

maint¬ 

enance 

(MOE2) 

5“ 

CN 

5* 

cn 

CN 

UJ' 

S' 

CN 

CO 

JJJ' 

5* 

CN 

UJ' 

51 

CN 

DLP 

CN 

NO 

*JLP 

know/ 

training/ 

exper 

(MOEi) 

cr 

cr 

CN 

U/» 

J? 

m 

ulP 

cr 

M 

Tt 

4JLP 

cr 

.* 

Ui' 

fH 

NO 

4JLP 

Human 

Errors 

(HE-) 

hum/syst 
interface 
(HEi) _ 

know/train/ 
exper  (HE2) 

05  cr 

ja’H 

f  « 

C  co 

a  a 

c  ^ 

violations 

(he4) _ 

job  design 
(HEg) _ 

0 

iU' 

fa 

8 

276 


Role  of  Human  Error  In  Reliability  of  Marine  Structures 

Second,  the  middle-operator  level  management  safety  index 
(SlHEi  I  MOE,EDAq)  is  the  sum  of  each  organizational  error's  effect  upon  a 
particular  human  error  "i"  (HEj).  Each  index  associates  the  organizational 
error's  effect  upon  human  errors  at  the  operator  level.  The  minimum  value  of 

f  \ 

the  impact  of  top-level  management  SIMQE  |TLM  ,  is  provided  by  the  user  and 

V  •>  Jo 

f  \ 

should  be  established  such  that  „  >0. 

MOE.ITLM 

V  J  Jo 

To  determine  the  safety  index  for  a  particular  HE  as  a  result  of  the 
organizational  errors  (OEs),  the  safety  index  is  determined  by  providing 
estimates  of  the  relative  effect  of  "good",  "fair",  or  "poor"  organizational  error 
management.  Figure  C.l  is  a  graphical  display  of  how  routine  a  safety  index 
is  obtained  through  a  linearization  technique  and  described  in  Equation  C.6. 


Figure  C.l  -  Linearized  measurement  of  middle-front  line  management  index 


SI 


MOE  ,EDA 
j  q 


1 


if  "high" 


1  / 2  + 1  / 2(1  / p .)  if  "moderate" 

1/p.  '  if"low" 

J 


(C.6) 


where  rj  is  the  maximum  degree  by  which  MOEj  is  judged  to  be  increased  for 
ED  An. 
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The  human  factor  index  described  in  Equation  C.l  is  categorized  into  the 
product  of  a  stress  index  (SIstress.EDAq)  and  a  routineness  index 
(SlRoutineness.EDAq)  as  shown  in  Equation  C.7.  Stress  and  routineness  are 
measured  to  assess  the  relative  effect  upon  the  safety  of  the  system.  The  user 
judges  the  relative  effect  of  "high"  stress  or  routineness.  Figure  C.2  is  a 
graphical  display  of  how  the  stress  safety  index  is  obtained  through  a 
linearization  technique  and  shown  in  Equation  C.8.  The  index  measuring 
routineness  of  the  EDAq  is  linearized  and  shown  in  Figure  C.3  and  the 
formulation  is  described  in  Equation  C.9. 


SI 


Hum  factor, EDA 


=  SI 


Stress, EDA 


SI 


Routineness, EDA 


(C.7) 


SI 

5tressl  EDA 

9 


1  if  "low" 

•  1  /  2  + 1  /  2(1  /  a)  if "  moderate" 
1/a  if  "high" 


(C.8) 


where  a  is  the  maximum  degree  by  which  stress  is  judged  to  be  increased  for 
EDAq. 
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SI 

tfoutinenesslEDA 


1  if  "high" 

<  1/2 +  1/2(1 /£)  if  "moderate" 
\/(5  if  "low" 


(C.9) 


where  b  is  the  maximum  degree  by  which  routineness  is  judged  to  be 
increased  for  EDAq. 

The  system  safety  index  (SIsystem.EDAq)  of  Equation  C.l  measures  the 
ability  of  the  operator  to  properly  acquire,  assess,  and  act  on  information 
provided  by  the  operating  system.  Similar  to  the  quantitative  calculation  of 
stress  and  routineness,  judgments  are  made  as  to  the  impact  of  system  factors 
upon  the  overall  safety  index.  The  linearization  is  shown  in  Figure  C.4  and 
formalized  in  Equation  C.10. 


SI 

SystlEDA^ 


•  1  /  2  + 1  /  2(1  /  y) 

1/  y 


if  "low" 
if  "moderate" 
if  "high" 


(C.10) 


where  g  is  the  maximum  degree  by  which  system  complexity  is  judged  to  be 
increased  for  EDAq. 
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The  environmental  safety  index  (SlEnviron.EDAq)  in  Equation 
C.ll  is  the  product  of  two  indices:  the  external  operating  condition  impairment 
index  (SlExternal.EDAq)  and  internal  operating  condition  impairment  index 
(SIlnternal,EDAq)- 

^Environ, EDA  ~  ^External  ,EDA  *  ^Internal  ,EDA  (C.ll) 

q  u  q  v  q 


The  impacts  of  environmental  factors  in  HESIM  represent  external  and 
internal  impairment  contributors.  Environmental  factors  impair  the 
individual  operator's  ability  to  think  and  perform  actions.  Any  combination  of 
environmental  factors  may  affect  the  abilities  of  the  operator.  However,  any 
number  of  environmental  factors  may  be  the  dominant  contributors  to  errors. 

For  example,  fire  and  smoke  may  be  impairing  the  abilities  to  evoke 
mitigation  procedures.  However,  smoke  may  be  the  dominant  environmental 
factor  leading  to  errors  by  the  operators  due  to  the  operators  inability  to  breath 
correctly.  It  is  at  the  discretion  of  the  user  to  determine  degree  to  which  a 
single  environmental  factor,  or  any  combination  of  factors,  affects  the 
environmental  safety  index.  This  may  be  performed  by  a  linearization  method 
similar  to  the  safety  indices  developed  for  stress,  routineness,  and  system 
complexity  factors  developed  above.  As  shown  in  Figure  C.5,  "high", 
"moderate",  and  "low"  environmental  impairment  severity  affect  the  accident 
contributors.  Equation  C.12  is  the  linearization  equation  used  to  determine  the 
environmental  safety  indices. 
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Figure  C.5  -  Linearized  measurement  of  environmental  impairment  factors 
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*  1/2 +  1/2(1 /euv) 
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if  "low" 
if  "moderate" 
if  "high" 


(C.12) 


where  e  is  the  maximum  degree  by  which  external  environmental  factor  u  (eu) 
or  internal  environmental  factor  v  (ev)  is  decreased  for  EDAq. 

The  final  step  in  the  model  development  procedure  is  to  relate  the  safety 
index  evaluation  to  the  overall  reliability  of  the  operating  system.  Figure  C.6 
provides  an  overview  of  the  HOE  evaluation  procedure.  Step  1  entails  the 
system  analysis  procedure  used  to  define  the  particular  human, 
organizational,  system,  procedures,  and  environmental  contributors  to  an 
accident  scenario.  The  modeling  procedure  described  was  to  use  influence 
diagrams  to  develop  an  accident  template  that  retains  the  primary  causative 
mechanisms  to  an  accident  scenario  yet  does  not  entail  many  of  the  unique 
characteristics  of  the  casualty  being  modeled 


For  Step  2  HESIM  is  used  as  a  quantitative  measuring  procedure  that 
incorporates  both  available  accident  data  and  heuristic  judgments.  As  data 
becomes  more  available,  there  is  a  reduction  of  reliance  upon  judgments  and 
experiences  and  a  greater  reliance  is  placed  upon  objective  data  to  generate 
human  error  related  probabilities. 

Step  3  entails  using  the  safety  index  evaluations  for  both  calibrating  and 
confirming  the  HESIM  procedure.  Historical  failure  rates  for  catastrophic 
events  are  used  for  confirmation  of  the  modeling  procedure  and  the  HESIM  is 
used  to  ensure  that  the  quantitative  modeling  procedure  is  consistent  with  case 
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study  analyses.  Once  the  safety  (or  risk)  indices  are  evaluated  for  the  HOEs 
using  the  HESIM,  they  are  input  into  the  influence  diagram  template  model. 
An  overall  safety  index  is  calculated  for  the  target  failure  event  being  modeled 
(e.g.  grounding  or  collision  for  a  tanker,  loss  of  fuel  containment  on  production 
platform)  such  that: 

Pf  =  Probability  of  "Activity"  results  in  undesirable  outcome 

As  shown  in  Figure  C.6,  the  safety  index  is  then  compared  to  the 
probability  of  failure  for  that  particular  accident  event.  This  procedure  is  then 
repeated  for  a  sufficient  number  of  cases  to  determine  a  general  range  for  the 
functional  relationship  between  the  safety  indices  and  the  failure  event 
probabilities  (Figure  C.7). 


Figure  C.6  -  HOE  analysis  procedure  based  on  HESIM  indexing  method 
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Figure  C.7  -  Probability- risk  index  relation  curve 


Figure  C.8  -  Safety  index-reliability  curves 


As  shown  in  Figure  C.8,  a  risk  meter  can  be  developed  that  compares 
the  safety  index  and  the  reliability  of  the  operational  system.  The  risk  of 
failure  can  be  categorized  into  "low”,  "moderate",  and  "high"  intervals.  The 
threshold  values  between  high,  moderate,  and  low  (or  unacceptable,  marginal, 
and  acceptable)  risks  are  dependent  upon  the  failure  event,  the  consequences 
of  that  failure,  and  society’s  willingness  to  accept  the  risk. 
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Comparison  between  the  safety  index-reliability  curves  and  probability- 
consequence  curves  for  undesirable  outcomes  is  performed  to  determine  the 
relative  risk  to  the  undesirable  outcome  being  modeled.  This  is  expressed 
diagramatically  in  Figure  C.9  where  the  risk  index-reliability  curve  is 
compared  with  the  reliability-consequence  curve. 

Further  evaluation  of  the  models  are  performed  to  assess  management 
alternatives  to  prevent  and  mitigate  the  impacts  of  HOE  related  factors.  This  is 
performed  to  determine  if  the  impact  upon  the  system  will  increase  the 
reliability  of  the  system  such  that  the  risk  becomes  acceptable.  This  can  be 
expressed  diagramatically  in  Figure  C.9  where  the  risk  index-probability 
curve  is  compared  with  the  probability  of  failure  acceptability  curve. 

There  is  a  six  step  approach  to  confirmation  of  the  modeling  procedure 
and  the  HESIM  to  both  assess  the  risk  of  a  particular  undesirable  target  event 
and  generate  the  safety-reliability  curves  shown  in  Figure  C.9.  The  approach 
is  as  follows: 

(1)  Determine  the  threshold  probabilities  between  acceptable, 
marginal,  and  unacceptable  risks  for  the  operation  being 
modeled.  These  can  be  done  through  judgments,  historical  data 
comparison,  financial  settlements  for  prior  casualties,  etc. 

(2)  Determine  the  probability  of  the  target  event  being  modeled 
through  judgment  or  historical  data. 

(3)  Using  the  post-mortem  study  data,  calculate  the  human  error 
safety  indices  (risk  indices)  under  the  specific  operating 
conditions  using  HESIM.  Input  the  human  error  indices  into  the 
influence  diagram  template  model  representing  the  particular 
characteristics  of  the  scenario  being  modeled. 

(4)  Calculate  the  risk  index  for  the  undesirable  target  event  by 
reducing  the  IDA. 

(5)  Compare  the  results  of  the  risk  index  with  the  target  event 
probability.  If  the  risk  index  and  probability  of  the  target  event  are 
consistent  with  case  study  implications,  continue. 

(6)  If  the  safety  index  and  probability  of  failure  are  inconsistent, 
calibrate  the  HESIM  to  attain  consistency  of  results.  This  can  be 
conducted  by  reexamining  the  impact  of  error  contributors  or 
further  detailing  the  model. 

(7)  Repeat  Steps  1-6  for  other  case  histories  to  develop  more  reliable  results. 
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Figure  C.9  -  Safety  index-probability-consequence  curve  comparisons  for 
acceptable  risk  determination 


Status 

User  interactive,  windows  oriented,  spreadsheet  based  software  has 
been  developed  to  facilitate  performing  HESIM  operations  evaluations  and  risk 
index  calculations.  Extensive  documentation  including  example  applications 
has  been  developed  to  guide  evaluations  of  operations  related  hazards 
associated  with  ships  and  offshore  platforms  [Moore,  Bea,  1993]. 

A  field  testing  and  development  project  was  initiated  during  1993.  The 
objectives  of  this  two-year  project  are  to  further  develop  and  verify  the  HESIM 
algorithms,  to  demonstrate  its  application  to  loading  and  discharge  operations 
associated  with  commercial  crude  carriers,  and  provide  initial  calibration  of 
its  quantitative  results. 

This  project  also  involves  review  and  assessment  of  existing  databases 
that  contain  information  on  tanker  loading  and  discharge  accidents.  This 
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review  is  expected  to  lead  to  definition  of  improved  database  formats  that  can  be 
used  to  supply  quantitative  and  qualitative  information  for  HESIM  evaluations 
of  this  type  of  ship  operation. 


FLAIM 


FLAIM  ( Fire  and  Life  safety  Assessment  Indexing  Method)  can  be 
described  as  a  quantitative  SIM  in  which  selected  key  factors  relevant  to  fire 
safety  and  life  safety  are  identified,  assessed  and  assigned  numerical 
(weighting)  values  [Gale,  et  al.  1994].  Risk  contributing  factors  are  indexed 
and  ranked  using  a  weighting  system  algorithm,  keyed  to  relative 
(comparative)  risk,  to  yield  a  set  of  risk  indexes,  and  an  overall  risk  index  for 
topsides  facilities.  For  familiarity  and  ease  of  use,  an  academic  letter  grading 
scheme  (A,  B,  C,  D,  F)  based  on  a  4.0  grade-point  scale  was  selected  as  the 
framework  for  assessing  risk  contributors. 

Key  topsides  risk  factors,  identified  on  the  basis  of  scenario  analysis, 
expert  opinion,  and  historical  records,  are  selected  and  evaluated  by  the  user 
together  with  provided  or  planned-for  risk  reduction  measures.  Life  safety  is 
assessed  independently  from  fire  safety,  using  risk  factors  specific  to  each,  but 
accounting  for  their  close  interdependence  .  The  adequacy  of  risk  reduction 
measures  and  the  overall  platform  Safety  Management  System  (SMS)  can  be 
assessed  by  calculating  the  RIRA  (Risk  Reduction  measures  Assessment )  and 
SAMSA  (SAfety  Management  System  Assessment )  indexes.  These  indexes 
reflect  provision  of  risk  mitigating  and  safety  management  status  of  the 
facility.  They  are  combined  with  fire  safety  and  life  safety  indices  in  order  to 
arrive  at  an  overall  topside  risk  assessment  index. 

The  FLAIM  assessment  procedure  is  outlined  in  Figure  C.10.  There  are 
eight  separate  risk  assessment  modules,  each  of  which  yield  individual  risk 
indices  used  to  calculate  an  overall  Topsides  risk  index,  drive  FLAIM's 
algorithm.  The  titles  of  the  modules  are  summarized  in  Table  C.4 


Table  C.4  -  FLAIM's  risk  assessment  modules 


•  General  Factors  Assessment 

(GEFA) 

•  Operations  and  Human  Factors  Assessment 

(OH  FA) 

•  Loss  of  Containment  Assessment 

(LOCA) 

•  Risk  Reduction  Measures  Assessment 

(RIRA) 

•  Vulnerability  to  Escalation  Assessment 

(VESA) 

•  Life  Safety  Assessment 

(LISA) 

•  Layout  and  Configuration  Assessment 

(LACA) 

•  Safety  Management  Systems  Assessment 

(SAMSA) 
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Figure  C.10  -  FLAIM  assessment  procedure  and  modules 
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Two  of  the  FLAIM  modules  are  of  particular  interest  to  this  project.  The 
Operational  /  Human  FActors  Assessment  (OFHA)  module  and  the  Safety 
Management  System  Assessment  (SAMSA)  module.  These  modules  attempt 
to  capture  the  essence  of  HOE  as  they  affect  offshore  platforms.  These  will  be 
defined  in  the  next  two  sections. 


Operational  Human  Factors  Assessment  (OFHA) 

Errors  involving  operational  activities  are  considered  to  constitute  the 
single  most  important  class  of  risk  contributors  leading  to  platform  fires, 
explosions,  and  loss  of  life.  Many  individual  factors  contribute  to  this  problem 
including  fundamental  deficiencies  in  organizational  aspects  of  the 
management  structure.  In  OFHA,  FLAIM  seeks  to  identify  those  normally 
encountered  production  activities  which  may  involve  either  an  inordinate 
reliance/dependence  on  human  judgment  to  avoid  serious  consequences 
(direct-link  couplings),  or  activities  in  which  the  risk  of  error  is  compounded 
by  the  complexity  or  multiplicity  of  the  tasks  involved,  e.g.,  multiple 
simultaneous  operations  such  as  drilling,  producing  and  maintenance 
involving  hot  work  or  startup  of  equipment. 

The  OFHA  risk  assessment  module  contains  approximately  167 
questions  covering  five  subcategories  (Figure  C.ll): 

•Maintenance  and  Repair  Work  (MARW), 

•Multiple  Operations  Assessment  (MULOPS), 

•Operational  Management  Of  Change  (MOCOPS), 

•Assessment  Of  Operator  Dependence  And  Response  (OPSDAR),  and 
•Operational  History  (OPHIST). 


Operational  &  Human  H 
Factors  Assessment  I 
(OH FA)  Risk  Module  | 


Maintenance  and 
Repair  Work 
(MARW) 


Multiple  Operations 
Assessement 
(MULOPS) 


Operational  Management 
of  Change 
(OPSMOC) 


Operator  Dependence 
and  Response 
(OPSDAR) 


Operational  History 
Assessment 
(OPSHIST) 


Figure  C.ll  -  Components  of  the  operational  human  factors  assessment  - 
OFHA 
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MARW  addresses  operational  risks  during  times  when  maintenance 
and  repair  activities  are  taking  place  on  the  platform  -  a  time  when  many 
accidents  happen.  These  activities  include: 

•major  renovations/additions, 

•turnarounds 

•routine  maintenance/repair  work  involving  equipment  entry,  line- 
breaking,  and  hotwork 

•pipeline  pigging/scrapper  work 

•downhole  wireline  work  such  as  removing  and  testing  storm  chokes 

•workover  operations 

•specialty  work,  such  as  pipeline  riser  retrofits/additions,  control 
system  modifications  necessitating  temporary  bypass  of  safety  shut¬ 
down  functions,  fire  protection  system  work  causing  temporary 
impairment  of  the  protection  systems 

Often  times  MARW  activities  involve  "line-entry"  or  "vessel-entry" 
procedures  whereby  the  risk  of  an  loss  of  containment  event  is  increased. 
Normal  process  control  elements,  pressure  relief  valves,  emergency  shut 
down  valves,  and  other  control  and  safety  provisions  may  be  placed  in  a  bypass 
mode  or  be  removed  from  the  system,  thereby  increasing  the  potential 
vulnerability  to  an  initiating  event.  Hot  work  involving  welding,  cutting, 
grinding,  etc.  is  also  commonly  included,  resulting  in  increased  ignition  risk. 

During  MARW,  reliance  on  human  intervention  and  judgment  is 
greatly  increased  over  that  required  for  normal  operations  --  both  from  a 
preventative  and  a  response  standpoint.  More  things  can  go  wrong,  and  there 
is  a  greater  dependency  on  worker  judgment  to  make  the  correct  decisions. 
However,  there  is  also  a  greater  risk  of  error  during  such  activities,  especially 
so  when  non-routine  operations  are  involved,  job  complexities  are  increased, 
and  work  crews  may  be  diverse  and  unfamiliar  with  the  facilities  or 
inadequately  trained  in  the  particular  operations  taking  place. 

The  criticality  of  any  particular  MARW  activity  has  been  distinguished 
into  four  major  categories: 

•  process  critical, 

•  process  non-critical, 

•  non-process  critical,  and 

•  non-process  non-critical. 

Process  critical  operations  are  considered  to  be  those  activities  that 
involve  vessel  and/or  line  entry  into  hydrocarbon  handling  systems  and 
equipment,  e.g.,  operations  posing  an  immediate  risk  of  Loss  Of  Containment 
(LOC).  This  includes  all  topsides  process  systems  in  which  crude  oil,  natural 
gas,  natural  gas  liquids  (condensate)  liquefied  petroleum  gases,  and  imported 
flammable  liquids  (methanol,  glycol,  aviation  gasoline,  etc.)  are  either 
processed,  treated  or  otherwise  handled/stored. 
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Process  non-critical  operations  are  considered  in  FLAIM  to  involve 
equipment  and  systems  that  handle  non-volatile,  combustible  liquids  (flash 
points  above  140°F)  at  or  near  atmospheric  pressure,  such  as  fuel  oil,  diesel 
fuel,  and  lubricants. 

Non-process  critical  operations  are  those  activities  that  impact  a 
platform's  ability  to  respond  to  an  LOC  event,  including  fire  and  explosion,  or 
that  increases  the  risk  of  ignition  should  an  LOC  event  occur.  Any  hot  work 
activity  not  involving  process  critical  activities  would  fall  into  this  category.  In 
addition,  work  that  would  require  deactivation  of  any  safety  system,  such  as  a 
fire  or  gas  detection  (as  may  be  necessary  during  hot  work),  a  fire  pump,  or  a 
deluge  system,  is  included  herein. 

Non-process  non-critical  work  are  considered  in  FLAIM  to  include  those 
routine  maintenance  and  repair  activities,  e.g.,  chipping  and  painting,  that  do 
not  directly  increase  LOC  risk,  but  by  their  very  presence  onboard,  may  add  to 
platform  supervisory  and  manpower  demands,  thereby  contributing  to  overall 
increase  in  platform  risk  during  simultaneous  operations. 

In  OFHA,  FLAIM  recognizes  that  platform  operational  risk  levels  are 
time  dependent,  varying  in  both  the  long  term,  e.g.,  emerging  safety 
deterioration  trends,  and  in  accordance  with  the  nature  of  daily  operations. 
MULOPS  assesses  the  frequency  and  nature  of  those  simultaneous  activities 
that  produce  short  periods  of  high  operational  risk. 

Simultaneous  operations  are,  in  general,  significant  risk  contributors 
depending  on  the  nature  and  number  of  simultaneous  operations  occurring; 
this  is  especially  true  whenever  downhole  work  is  in  progress  on  live  (capable 
of  flowing)  wells.  Large  platforms  may  have  several  contractor  crews  engaged 
in  different  construction/maintenance  activities  at  the  same  time,  and  while 
normal  production  and  drilling  activities  are  also  taking  place. 

MULOPS  seeks  to  evaluate  the  relative  risk  of  simultaneous  multiple 
operations  by  establishing  their  nature,  relative  proximity  to  each  other,  and 
the  frequency  of  their  occurrence.  Simultaneous  operations  during  production 
may  include  drilling,  workovers,  wireline  operations,  refueling  of  onboard  fuel 
supplies,  ofl/onloading  bulk  supplies,  pig  launching  and  receiving,  and 
various  construction  and  maintenance  activities,  such  as  installation  of  riser 
safety  valves. 

The  extent  to  which  operational  safety  and  the  control  of  emergency 
situations  depends  upon  operator  response  is  an  important  risk  consideration. 
Platform  process  systems  designed  with  protective  systems  that  automatically 
sense  and  initiate  corrective  actions  to  developing  emergency  situations  are  apt 
to  be  less  vulnerable  to  errors  in  human  judgment  or  lack  of  prompt  operator 
response.  OPSDAR  seeks  to  evaluate  the  extent  to  which  the  platform  design 
and  operational  scheme  places  reliance  on  operator  response  and  judgment  in 
order  to  safely  shutdown  topside  systems  and  respond  to  LOC  events. 
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Cognitive  and  sensory  limits  of  operator  response  becomes  increasing 
important  in  accident  causation  as  the  demands  placed  on  operators  increase. 
This  problem  is  much  the  same  faced  by  military  fighter  pilots  who,  compared 
with  their  immediate  predecessors,  have  both  a  much  greater  array  of  sensory 
information  to  deal  with  as  well  as  a  much  short  time  in  which  to  arrive  at 
correct  decisions  (due  to  higher  flying  velocities).  The  1979  Three  Mile  Island 
nuclear  plant  accident  was  largely  a  result  of  a  failure  to  properly  sort  out  and 
recognize  critically  important  information  during  the  developing  crisis 
scenario. 

OPSDAR  uses  a  what-if  scenario  based  approach  to  determine  if 
emergency  response  plans  are  inadvertently  placing  too  much  reliance  on 
operators  performing  critically  important  tasks  or  otherwise  (overburdening) 
platform  personnel  to  ensure  safety.  For  example,  OPSDAR  asks  if  platform 
blowdown  system  valves  are  automated  or  if  operators  must  manually  open 
them  to  depressure  system  piping;  are  platform  deluge  systems  automatically 
actuated  or  must  operators  manually  open  local  control  valves;  are  deluge 
systems  provided  or  are  operators  expected  to  fight  fires  manually  with  hand- 
hose  lines,  etc. 

FLAIM  includes  a  component  intended  to  identify  endemic  operational 
problems  as  may  be  evidenced  by  reoccurring  accident  events.  OPHIST 
addresses  the  operational  history  of  the  platform  and  seeks  to  determine  if 
certain  types  of  operational  related  events  are  more  prone  to  occur.  This 
information  is  intended  to  distinguish  between  appropriate  changes  that  may 
need  to  occur  and  those  that  may  have  already  been  implemented  to  rectify  the 
root  cause  of  such  events. 


Safety  Management  System  Assessment  (SAMSA) 

The  SAMSA  module  contains  those  factors  identified  as  being  most 
prevalent  in  failures  of  the  Safety  Management  System.  SAMSA  seeks  to 
assess  the  adequacy  of  management's  ability  to  identify  and  respond  to  root- 
cause  errors  stemming  from  human  and  organizational  factors.  Thirteen 
error  classifications  have  been  identified  in  the  HOE  taxonomy  developed  by 
Moore  and  Bea  [1993].  These  classifications  have  been  subdivided  into  four 
general  categories,  all  of  which  are  subject  to  external  environmental 
influences. 

In  FLAIM's  SAMSA  risk  module,  factors  identified  in  the  HOE 
taxonomy  are  accounted  in  the  four  subcategories: 

1)  Management  Systems  (MASA), 

2)  Fire  (Emergency)  Preparedness  (FIPA), 

3)  Safety  Training  (SATA),  and 

4)  Management  of  Change  Management  Program  (MOCMAP). 
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The  components  of  the  SAMS  A  risk  evaluation  module  are  illustrated  in 
Figure  C.12. 


Figure  C.12  -  Safety  Management  System  assessment  module  components 


MASA  is  further  subdivided  into  four  separate  risk  assessment  sections: 

1)  Management  Systems  Safety  Culture  Assessment  (SCULA), 

2)  Organizational  Responsibility  &  Resources  (OR&R), 

3)  Company  Policies  and  Procedures  (POLPRO),  and 

4)  Accountability  &  Auditing  (ACAU). 

Each  of  these  components  of  SAMSA  are  considered  to  be  interdependent 
and  essential  to  achieving  fire  and  life  safety  operating  goals. 

The  four  MASA  components  component  of  SAMSA  form  a  synergism 
that  are,  in  fact,  a  compilation  of  the  (fourteen)  essential  elements  of  Total 
Quality  Management  (TQM)  as  expounded  by  Deming.  These  elements  are  the 
sole  responsibility  of  top  management  and  can  only  be  carried  out  by  top 
management;  they  serve  as  direct  indicators  of  management's  awareness  of 
and  commitment  to  continued  safe  operations. 

The  most  essential  element  stressed  by  Deming  in  his  fourteen  point 
approach  to  TQM  is  his  last  program  element  —  creating  a  structure  and 
environment  in  top  management  that  is  conducive  to  continually  cultivating 
and  building  upon  on  the  other  thirteen  points,  e.g.,  develop  a  "corporate 
culture"  of  quality  that  permeates  down  and  throughout  the  entire 
organization.  Deming  believed  in  the  need  to  develop  a  "constancy  of  purpose 
towards  improvement"  in  which  management's  philosophy  embraces  bold 
(new)  concepts  aimed  at  empowering  the  worker,  creating  organizational 
incentives  encouraging  and  rewarding  self-improvement,  eliminating  worker 
fear  (to  do  the  right  thing)  and  removing  barriers  to  improving  quality  and 
safety,  e.g.,  imposed  production  quotas. 
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The  SCULA  section  of  MASA,  together  with  OR&R  and  the  other 
Management  System  components,  identify  and  assess  key  indicators  of 
management's  awareness  and  commitment  to  these  ideals. 

Organization  Responsibility  and  Resources  (OR&R)  seeks  to  identify 
weak  safety  culture  environments  by  asking  questions  about:  the  company's 
safety  and  loss  prevention  staff  relevant  to  the  number  of  platforms 
beiinstructions  on  how  to  achieve  those  goals,  the  course  of  platform  safety 
goes  uncharted.  Company  Policies  and  Procedures  (POLPRO)  asks  if  the 
platform  operator  has  a  written  policy  establishing  definitive  safety  objectives, 
goals,  practices  and  the  means  to  monitor,  measure,  and  improve  meeting 
safety  targets. 

The  POLPRO  element  of  MASA  accounts  for  the  status  of  written,  up-to- 
date  operating  instructions  for  all  topside  systems  and  process  components, 
including  startup  procedures,  normal  and  temporary  operations,  emergency 
operations  including  emergency  shutdowns  (for  each  level  of  shutdown),  and 
black-start  restarts  from  complete  shutdowns  of  all  platform  operations  and 
power  sources.  Individual  startup/shutdown  and  operating  instructions  for 
pumps,  compressors,  fired  heaters,  should  be  explicit  to  the  machine  in  its 
"as-built"  (as-installed)  condition. 

A  written  Safe  Work  Practices  (SWP)  Manual  should  cover  many 
routine  tasks  including:  line  and  vessel  opening/entry  operations,  lockout  and 
tagout  procedures,  confined  space  entry,  hot  work  and  cutting  operations, 
inerting  and  purging  practices,  heavy  lifts  and  crane  operations,  sampling 
and  sample  connections,  opening  of  drains  and  vents,  use  of  personal 
protective  clothing  and  gear,  etc.  The  Permit  to  Work  procedure  should  be 
clearly  explained  both  in  concept  and  in  explicit  requirements.  In  addition, 
accident  investigation  instructions  and  forms  may  be  included  in  the  SWP 
manual  or  provided  as  a  separate  document  in  the  emergency  response  plan. 
These  issues  are  addressed  by  the  POLPRO  component  of  MASA. 

Emergency  Response  Plans  are  also  another  important  element 
included  in  POLPRO.  Most  platforms  will  already  have  written  plans  for  oil 
spills  and  for  emergency  evacuation  as  required  by  MMS  and  the  USCG. 
POLPRO  seeks  to  assess  the  adequacy  of  these  procedures  and  asks  about  the 
frequency  of  emergency  response  drills  and  the  provision  of  improving  written 
plans  based  on  feedback  from  lessons  learned  in  rehearsals. 

Successful  implementation  of  the  platform's  safety  management 
program  depends  to  a  large  extent  on  the  means  used  to  measure  progress  in 
meeting  safety  goals  and  to  effect  improvements  in  program  execution. 
Accountability  is  required  to  effect  change  and  realize  improvements.  The 
ACAU  element  of  MASA  seeks  to  determine  if  the  safety  program  is  being 
effectively  carried  forward  with  the  requisite  level  of  management  support  and 
accountability  necessary  for  meaningful  implementation.  This  includes 
auditing  of  the  safety  assurance  and  written  reports  to  management. 


294 


Appendix  C 


HESIM  &  FLAIM  Safety  Indexing  Methods 


An  important  risk  indicator  in  MASA  is  an  operating  company's 
"lessons-leamed"  program.  ACAU  asks  the  operator  about  the  disposition  of 
information  collected  in  near-miss  and  accident  reports.  A  pro-active 
approach  taken  in  analyzing  and  learning  from  operational  experiences,  and 
then  following  through  by  communicating  this  information  and  revising 
company  practices  accordingly,  is  one  indicator  of  a  strong  safety  culture. 
Conversely,  compliance  with  accidents  report  requirements  as  mandated  by 
MMS  OCS  Orders  and  committing  the  information  to  a  file  cabinet  without 
further  thought  is  clear  evidence  of  a  "compliance  mentality"  as  described  by 
the  CAI. 

The  FIPA  component  of  the  SAMSA  risk  assessment  module  seeks  to 
measure  a  operating  crew's  preparedness  and  ability  to  effectively  deal  with 
developing  emergency  situations.  FIPA  does  not  address  hardware  aspects  of 
preparedness;  these  are  accounted  for  in  RIRA.  FIPA  is  the  complementary 
component  to  RIRA  and  evaluates  the  human  and  organizational  factors 
deemed  critical  to  controlling  a  developing  fire  scenario. 

The  extent  of  human  intervention  necessary  to  successfully  control  a 
developing  situation  depends  to  a  large  extent  on  the  platform  design,  its 
susceptibility  to  loss  of  containment  events,  provisions  for  automatic  detection, 
control,  and  shutdown,  and  the  platform's  inherent  vulnerability,  or 
conversely,  its  robustness  to  resist  thermal  impact.  There  are  two  terms  in 
"the  equation"  for  assessing  fire  preparedness,  each  containing  several 
variables. 

The  first  term  evaluates  management's  understanding  of  exactly  what 
role  the  crew  is  expected  to  play  in  any  given  emergency  situation.  The 
assessment  seeks  to  address  issues  of  response  expectancy  with  a  view  to 
determining  whether  or  not  an  unrealistic  reliance  and  dependency  has 
developed  on  a  crew's  ability  to  respond. 

For  example,  identification  of  critical  manual  tasks  necessary  for 
successful  fuel-source  isolation  in  a  LOC  event,  when  compared  to  concurrent 
demands  for  fire-fighting,  communications,  and  general  platform  shutdown, 
may  show  an  inordinate  dependence  on  human  response  in  some  scenarios. 
Quite  often,  emergency  demands  placed  on  crew  members  tend  to  evolve  and 
change  in  response  to  platform  modifications  and  expansions.  The 
cumulative  effect  may  exceed  reasonable  response  expectancies,  but  go 
unrecognized  for  lack  of  an  emergency  operability  study. 

The  second  term  in  the  fire  preparedness  equation  addresses  the  crew's 
preparedness  and  capability  to  carry  out  those  essential  demands  placed  on  it 
under  various  emergency  scenarios,  assuming  the  demands  are  reasonable  as 
evaluated  above.  This  requires  and  assessment  of  the  crew's  knowledge  and 
understanding  of  what  is  expected  for  a  given  situation,  their  ability  and 
willingness  to  effect  their  duties,  and  the  capability  to  demonstrate  this 
through  hands-on  hypothetical  training  exercises  for  emergency  situations. 
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The  Safety  Training  Assessment  (SATA)  component  of  the  SAMSA  risk 
module  is  intended  to  evaluate  the  overall  level  of  formal  personnel  training 
and  operator  qualifications.  Recognizing  that  human  and  operational  error  is 
the  primary  cause  of  offshore  accidents,  the  adequacy  of  training  at  all  levels 
throughout  the  organization  is  assessed  -  both  from  an  operational  standpoint 
and  from  a  risk  aversion/cultural  standpoint. 

In  the  Management  of  Change  Management  Program  (MOCMAP) 
section  of  the  SAMSA  risk  module,  FLAIM  asks  if  the  prerequisite  elements  of 
a  MOC  management  program,  as  identified  by  accepted  codes  of  practice  for 
the  operations  of  offshore  platforms  are  established  and  implemented  in 
written  procedures.  This  should  include  the  requirement  for  a  hazards 
analysis  of  the  safety,  health  and  environmental  implications  of  the  proposed 
change,  including  its  direct  local  impact  and  global  ramifications  to  the  overall 
risk  level  of  the  platform.  Such  an  evaluation  may  be  performed  by  using 
FLAIM's  methodology  to  assess  these  impacts. 


The  FLAIM  Algorithm 

FLAIM's  input  data  is  requested  in  one  of  three  primary  forms:  (1) 
binary,  (2)  qualitative  letter  grades,  and  (3)  numerical  values.  The  following  is 
an  explanation  of  these  input  values. 

Binary  Input  Data.  The  binary  value  system  (py)  is  presented  by 
answering  "Yes"  or  "No"  (or  "Good"  or  "Bad"  )  to  the  presented  questions. 

The  input  value  returns  a  value  of  0  or  1  dependent  upon  the  assignment  of 
the  value  to  the  answer  (Eqn.  1).  Any  question  that  is  to  be  answered  "Yes"  or 
"No"  in  the  FLAIM  spreadsheet  program  is  followed  by  -  "(Y/N)." 


0  if  "Yes' 
lif  "No" 


0  if  "No" 
1  if  "Yes" 


(C.13) 


for  question  i,  assessment  j. 

Letter  Grades.  The  grade  point  structure  follows  along  the  line  of  the 
grade  point  structures  used  in  academia.  The  grade  points  range  from  "A" 
to  "F"  and  are  assigned  numbers  based  upon  the  same  4.0  point  grading 
system  used  in  many  academic  grading  schemes.  The  algorithm 
automatically  assigns  a  numeric  value  to  the  grade  point  input  provided  by 
the  user  in  the  spreadsheet  (Table  C.5).  Questions  that  directly  use  the  grade 
point  scheme  in  the  spreadsheet  are  provided  with  a  short  description  of 
what  constitutes  the  selection  of  that  grade.  The  grades  are  represented  by  0 
<riij<  4  (risk  assessment  i,  question  j). 
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Table  C.5  -  Grade  point  scheme  for  platform  risk  factors  and  corresponding 

numeric  values 

A  -  "Excellent"  condition  of  the  risk  contributing  factor  upon  the  platform  fire 
and/or  life  safety  (4.0) 

B  -  "Good"  condition  of  the  risk  contributing  factor  upon  platform  fire 
and/or  life  safety  (3.0) 

C  -  "Fair"  condition  of  the  risk  contributing  factor  upon  platform  fire 
and/or  life  safety  (2.0) 

D  -  "Poor"  condition  of  the  risk  contributing  factor  upon  platform  fire 
and/or  life  safety  (1.0) 

F  -  "Bad"  condition  of  the  risk  contributing  factor  upon  platform  fire 
and/or  life  safety  (0.0) 


Numerical  Values.  Quantitative  values  (such  as  barrels  of  oil  per  day 
(BPD),  millions  of  standard  cubic  feet  of  gas  produced  per  day  (mmscfd),  size 
of  operating  crew,  etc.)  are  numeric  value  inputs.  The  units  prescribed  for 
each  input  value  is  provided  at  the  end  of  each  question.  This  information  is 
used  in  the  assessment  of  the  relative  overall  consequence  level  of  the 
platform,  as  well  as  for  evaluations  of  specific  risk  contributing  factors. 


Weighting  Structure.  To  maintain  consistency  with  the  grade  point 
scheme,  all  default  input  values  are  considered  to  range  between  5.0  and  1.0. 
This  is  equivalent  to  the  concept  of  the  number  of  "units"  that  an  academic 
course  is  worth.  The  greater  the  unit  value,  the  greater  the  relative 
importance  of  that  factor  to  the  grading  scheme. 

The  weighting  structure  of  FLAIM's  algorithm  has  two  types  of  value 
inputs  (coy)  (risk  assessment  i,  question  j):  (1)  direct  input  value  assessment 
of  weighing  values,  and  (2)  indirect  input  value  assessment,  e.g.,  values 
generated  as  part  of  the  algorithm.  Direct  inputs  are  provided  by  the  user's 
assessment  of  the  relative  importance  of  that  particular  factor  to  fire  and  life 
safety  on  any  given  platform. 

Indirect  value  assessments  can  be  made  through  summing  the  binary 
input  values  (Pijk)  which  are  made  up  of  sets  of  sub-questions.  There  can  be 
between  2  and  23  sub-questions  dependent  upon  the  importance  of  the  factor 
in  question  to  fire  and/or  life  safety. 

Indirect  value  assessments  are  also  functions  of  the  numeric  input 
values.  These  values  are  used  to  weigh  the  relative  importance  of  fire  and 
life  safety  risk.  For  example,  if  there  is  a  small  crew  contingent  aboard  the 
platform,  there  is  a  smaller  overall  risk  of  injury  or  loss  of  life  to  personnel 
than  if  there  was  a  large  operating  crew.  Or,  for  example,  production  rates 
(high  or  low)  may  have  a  great  impact  upon  the  loss  of  containment  risk. 
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Value  Structure.  The  primary  algorithm  structure  is  in  the  form 
shown  in  Equation  C.14.  This  general  algorithm  structure  is  similar  to  that 
of  the  academic  grading  scheme  shown  in  Equation  C.13.  The  grade  point 
average  (GPA)  is  determined  by  summing  the  product  of  the  grades  and 
credits  for  each  course  (total  of  p  courses)  and  dividing  by  the  total  number  of 

credits,  This  value  is  the  GPA, 


n 


XCO..TI.. 
y  'u 


(C.14) 


GPA  = 


p 

Credit ,  Grade, 

_i _ 

p 

^  Credit , 

i 


(C.15) 


Numeric  Value  Range  Assignments.  The  numeric  value  assignments 
have  a  pre-defined  "value  range"  that  determine  the  grading  structure. 
Single-question  numeric  value  assignments  have  direct  value  assignments. 
Multiple-question  numeric  value  assignment  questions  use  an  averaging  of 
values  obtained  from  each  sub-question.  As  already  explained  the  user  is 
asked  to  determine  the  range  values  that  determine  the  grading  structure 
based  on  the  particular  platform  design  and  operation  circumstances  under 
scrutiny;  FLAIM  has  been  intentionally  designed  to  allow  either  the  user,  or 
the  consensus  of  a  user's  group,  to  "calibrate"  the  risk  assessment  process. 

Binary  Value  Assignments.  The  binary  input  value  assignments  are 
given  dependent  upon  whether  the  question  has  a  positive  or  negative  impact 
upon  fire  and  life  safety  values.  Multiple-binary  value  assignments  are 
averaged  over  the  sub-questions  to  provide  an  overall  grade  for  that  particular 
question. 

Grade  Value  Assignments.  Single  grade  value  assignments  are  based 
directly  upon  the  A-F  structure  described  in  Table  C.5.  The  multiple  sub¬ 
question  value  assignments  use  the  A-F  grading  scheme.  Similar  to  the 
numerical  and  binary  multiple  sub-question  value  assignments  a  mean 
grade  value  is  used  by  averaging  the  grade  over  the  number  of  sub-questions. 

Question  Weighting  Assignments.  In  accordance  with  Table  C.6  default 
values  are  assigned  to  the  weight  of  each  question  dependent  upon  the  level  of 
the  assessment.  Certain  FLAIM  questions  have  already  been  pre-determined 
as  suggested  red-flag  or  "red-level"  questions.  These  questions  have  been 
deemed  to  be  particularly  important  to  the  safe  operations  of  any  offshore 
platform.  Weighted  value  assignments  for  these  factors  are  assigned  by  the 
user;  those  questions  identified  of  particular  importance  may  be  assigned 
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weighting  values  greater  than  those  assigned  at  the  Tiers  1-3  levels.  However, 
FLAIM  also  allows  the  user  to  reassign  the  suggested  default  value  of  any 
selected  question.  If  the  assigned  value  exceeds  the  Tier  1  level  value  of  5, 
FLAIM  automatically  designates  the  question  to  a  "red-level"  status. 

Factors  from  Tier  1  (initial  screening)  assessments  are  assigned  the 
highest  weighted  values  since  they  account  for  the  most  important 
contributing  fire  and  life  safety  factors  specific  to  the  platform  being  assessed.1 
More  detailed  Tier  2  and  Tier  3  questions  are  weighted  correspondingly  lower 
to  reflect  their  relative  importance  to  overall  fire  and  life  safety. 


Table  C.6  -  Value  Weighting  Assignments  According  To  Relative  Importance 


Relative  Importance  of 
Assessment  to  Fire  or  Life 
Safety 

Assessment  Level 
Assignment 

Default* 

Weighting  Value 

Assignment  -  coy 

Red-Level 

Initial 

Assigned  by  users 

High 

Tier  1 

5  (5-4) 

Moderate 

Tier  2 

3  (3-2) 

Low 

Tier  3 

1(2-1) 

*  Values  in  parentheses  are  value  assignment  ranges  for  each  assessment  level. 


Though  default  values  are  assigned,  FLAIM  allows  users  to  modify  the 
value  to  reflect  their  preferences  and  experiences.  Should  a  Tier  2  or  Tier  3 
factor  be  assigned  a  higher  weight  value  comparable  to  that  at  a  level  higher 
than  originally  assigned,  the  user  may  reevaluate  whether  that  contributing 
factor  should  be  reassigned  to  a  higher  Tier  level.  At  the  user's  discretion, 
these  values  may  be  changed  to  account  for  the  relative  importance  of  the 
question  as  determined  by  a  consensus  of  the  user  group  performing  the 
analysis. 


Individual  FLAIM  Assessment  Grades.  Equation  C.16  is  used  to 
determine  the  GPA  for  any  assessment  j  (r|j).  As  shown  in  Equation  C.18,  the 
grade  value  is  assigned  according  to  the  question  type.  Each  question  is 
weighted  according  to  its  Tier  level  assignment  except  for  the  critical  level 
where  the  weighted  value  is  assigned  by  the  users  (ly). 


1  The  basic  difference  between  red-level  and  Tier  1  questions  is  that  the  former  are  considered 
to  be  questions  which  are  generally  important  to  the  operations  of  all  offshore  structures, 
whereas  Tier  1  level  questions  may  be  specific  to  the  platform  being  analyzed 

pre-defined  range  value  for  question  i,  assessment  j,  and  range  value  t 

4y1y*k:  pre-defined  range  value  for  question  i,  assessment  j,  sub-question  k  and  range  value  t 
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where 


if  question  i,  assessment  j  is  single  question  numeric 
if  question  i,  assessment  j  is  sub -question  numeric 
if  question  i,  assessment  j  is  single  question  binary 
if  question  i,  assessment  j  is  sub  -  question  binary 
if  question  i,  assessment  j  is  single  question  grade  value 
if  question  i,  assessment  j  is  sub  -  question  grade  value 

It,  //"Red -Level" 

ij  j 

5  if  Tier  1 

co  = 

"  3  if  Tier  2 

1  if  Tier  3 


(C.17) 


(C.18) 


FLAIM's  Overall  Fire  and  Life  Safety  Index 

To  determine  the  platform's  overall  Fire  and  Life  Safety  Index  a 
weighted  sum  of  all  risk  assessment  modules  is  made  to  determine  the  index 
value.  Equation  C.19  is  the  weighted  assessment  used  to  calculate  the  overall 
Fire  and  Life  Safety  Index.  The  weighted  assessment  procedures  allows  the 
user  to  take  into  account  the  overall  relative  importance  on  any  single  risk 
assessment  module  relative  to  each  other,  e.g.,  how  GEFA,  LOCA,  VESA, 
LACA,  OHFA,  RIRA,  LISA  and  SAMSA  should  be  considered  on  a 
comparative  basis. 


5 

GP Aovcraii  =  Overall  Fire  and  Safety  Index  =  *7, 

>=i 


where 


(C.19) 


FLAIM  calculates  the  overall  Fire  and  Life  Safety  Index  using 
equal  weighting  among  all  risk  assessment  modules  as  a  default  condition. 
This  is  in  recognition  of  the  need  to  assess  each  module's  relative  weighting 
value  based  on  the  particular  platform  under  consideration;  not  because  of  any 
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implied  level  of  equivalency.  For  example,  on  newer  platforms  the  risk  of  LOC 
events  due  to  mechanical  failure  may  be  judged  to  be  relatively  low,  while  the 
likelihood  of  a  human  error  caused  accident  may  be  high  due  to  simultaneous 
drilling,  production,  and  construction  activities.  In  this  regard,  it  is 
important  for  the  user  to  establish  a  uniform  application  of  weighting  values 
among  groups  of  similar  platforms  in  order  to  derive  meaningful  results  from 
this  procedure. 


Status 

User  interactive,  windows  oriented,  spreadsheet  based  software  has 
been  developed  to  facilitate  performing  FLAME  evaluations  and  risk  index 
calculations.  Extensive  documentation  including  an  example  application  has 
been  developed  to  guide  evaluations  of  fire  and  explosion  hazards  on  offshore 
platforms  [Gale,  Bea,  Williamson,  1993]. 

A  field  testing  and  development  project  has  been  proposed  (1994).  The 
objectives  of  this  project  are  to  further  verify  the  FLAIM  algorithms,  to 
demonstrate  its  application  to  assessment  of  a  variety  of  offshore  platform 
operations,  and  provide  initial  calibration  of  its  quantitative  results. 
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EXAMPLE:  PRA  OF  HOE  IN  DESIGN 
OF  AN  OFFSHORE  PLATFORM 


Introduction 


This  example  was  developed  during  the 
research  project  performed  and  reported  by  Pat6- 
Comell  and  Bea  [1988, 1992].  The  example 
addresses  HOE  in  design  of  the  structure  for  a 
conventional,  steel,  template-type,  pile  supported 
offshore  platform  (Figure  D.l).  It  primarily 
addresses  the  organizational  influences  on  the 
human  related  aspects  of  the  reliability  of  the 
platform  structural  system.  Design, 
construction,  and  operation  life-cycle  phases  of 
the  platform  are  evaluated  with  an  emphasis  on 
the  design  phase.  The  effects  of  checking  in  the 
design  process  are  illustrated  together  with  the 
effects  of  improvements  in  the  QA  /  QC 
processes. 

Three  functions  have  to  be  performed  by 
the  platform  structure:  the  anchoring  provided 
by  the  foundation,  the  support  from  the  jacket, 
and  the  drilling  and  production  activities 
conducted  on  deck(s).  The  potential  initiating 
failures  are:  failure  of  the  foundation  (0),  failure 
of  the  jacket  (A),  and  failure  of  the  deck  (E) 
(Figure  D.l) 

External  loads  such  as  waves  are  applied 
to  the  whole  structure.  Note  that  an  initiating 
failure  means  that  one  of  the  subsystems  fails 
before  the  others  under  external  loads  of  given 
type  and  magnitude.  The  fact  that  the  foundation 
failure  constitutes  an  initiating  failure  under  a 
particular  level  of  wave  load  means  that  the 
capacity  of  the  foundation  is  lower  than  this  level 
of  wave  load,  and  that  the  capacities  of  the  jacket 


FOUND  AT  I ONS 
D _ 


JACKET 
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DECK 

E 


ICE 

BOAT  COLLISIONS 


fiIes 


WAVES,  EARTHQUAKES,  BLOWOUTS 


Figure  D.l  -  Analysis  of 
components,  functions  and 
external  events  for  an 
offshore  platform 
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and  the  deck  exceed  that  of  the  foundation.  Therefore,  initiating  failures  are 
mutually  exclusive  events. 

Let  w  be  a  particular  level  of  wave  loads  and  p(.  I  w)  the  failure 
probability  of  a  given  system  conditional  on  w.  The  failure  probability  of  the 
platform  is  therefore: 

p(F  I  w)  =  p(0 1  w)  +  p(A  I  w)  +  p(E  I  w)  (D.l) 

The  annual  probability  of  failure  of  the  structure  subjected  to  these  loads 
can  be  computed  as  the  result  of  the  hazard  analysis  (e.g.,  probability  density 
function  for  the  annual  maximum  wave  height  f\y(w)),  and  the  fragility 
analysis  above  that  reflects  the  capacities  of  the  different  subsystems  to 
withstand  these  loads  and  is  described  by  the  probability  of  failure  conditional 
on  a  given  wave  height  (p(F  I  w)). 

The  overall  failure  probability  can  be  written: 

p(F)=J  f\y(w)  x  p(F  I  w)  dw  (D.2) 


Typical  results  of  a  PRA  for  a  whole  structure  can  be,  for  example:  p(F) 

~  10'3/yr.  Explosions,  blowouts,  and  fires  cause  approximately  80%  of  all 
failures.  Within  this  class  of  external  events,  typical  results  show  that  the 
deck  may  fail  first  in  two  thirds  of  the  cases,  while,  for  the  remaining  third, 
the  foundation  and  the  jacket  are  equally  likely  to  fail  first.  The  rest  of  the 
failure  probability  is  mainly  due  to  excessive  wave  loads  and  can  be  allocated 
among  failures  of  the  jacket  (=15%),  failures  of  the  foundation  (=10%),  and 
failures  of  the  deck  (=5%). 

Typical  final  results  for  annual  failure  probabilities  based  on  a  total 
failure  probability  p(F)  =  2  x  10'3  are  as  follows: 

p(Deck)  =  10-3 

p(  Jacket)  =  6  x  10-4 

p(Foundation)  =  4  x  lO'4 

The  approach  in  this  PRA  evaluation  of  HOE  in  design  of  the  platform 
structure  is  to  compute  a  probability  distribution  for  the  structure  system 
capacity  based  on  an  analysis  of  the  occurrence,  detection,  and  correction  of 
HOE.  The  structure  of  the  aggregation  model  is  based  on  an  ETA  including 
the  probability  and  the  nature  of  errors  in  different  subsystems,  the  reliability 
of  the  review  process  as  a  sequence  of  error  signals  that  can  be  observed  or 
missed,  and  the  effectiveness  of  corrective  actions. 

This  analysis  yields  a  probability  distribution  for  the  capacity  of  the 
structure  to  withstand  loads  given  its  final  state.  PRA  then  allows 
computation  of  the  probability  of  failure  for  each  scenario  of  capacity  and  loads. 
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The  first  step  is  the  identification  of  an  exhaustive  set  of  possible  errors 
in  the  design,  or  the  construction,  or  the  operation  of  a  platform  and  the 
assessment  of  the  probability  of  each  particular  type  of  error.  The  second  step 
is  the  computation  of  the  failure  probability  of  a  particular  member  or 
subsystem  given  the  occurrence  of  each  type  of  error.  This  characteristic 
determines  the  level  of  error  severity.  The  third  step  is  the  integration  of  this 
new  failure  probability  (example,  a  particular  member  of  the  jacket)  in  the 
general  PRA  model  in  order  to  compute  the  effect  of  the  design  error  on  the 
overall  reliability  of  the  platform. 

In  this  example  the  errors  are  combined  into  classes  of  severity.  Their 
probability  of  occurrence  and  the  probability  of  failure  of  the  platform 
conditional  on  different  combinations  of  errors  are  obtained,  in  this  section, 
through  encoding  of  expert  opinion  on  the  basis  of  several  data  sets.  These 
data  sets  provide  statistics  about  failure  types  and  failure  causes.  Expert 
opinion  is  used  to  relate  the  error  types  (as  defined  in  the  taxonomy  presented 
above)  to  the  failure  of  the  different  subsystems  and,  therefore,  of  the  whole 
platform. 


Error  Analysis:  Occurrences  and  Types 


In  this  example,  the  classification  of  HOE  is  divided  into  two  basic 
categories  of  errors:  gross  errors  and  errors  of  judgement  (Figure  D.2). 
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Figure  D.2  -  Classification  of  HOE  used  in  PRA 
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Gross  errors  are  defined  as  those  that  develop  uncontroversial  problems 
that  come  from  a  temporary  or  permanent  lack  of  knowledge  and 
understanding  of  a  situation,  or  inability  to  respond  under  specific 
circumstances.  A  distinction  is  made  among  communication  problems 
(either  of  goals  or  of  information),  cognitive  problems,  and  problems  due  to 
human  limitations. 

Gross  errors  (as  well  as  errors  of  judgment)  can  also  be  caused  by 
human  physical  and  psychological  limitations.  These  errors  may  look  like 
accidental  slips  or  even  "reckless  behavior".  The  basic  cause  can  be  a 
combination  of  severe  circumstances  and/or  physiological  limitations  and 
incapacity  to  deal  with  an  unusual  environment. 

Errors  of  judgment  are  those  that  are  open  to  interpretation,  for  two 
categories  of  reason:  uncertainty  about  facts,  and  diversity  of  preferences  in 
the  face  of  uncertainty.  Contrary  to  gross  errors,  they  cannot  be  easily  defined 
by  a  violation  of  a  deterministic  truth.  Assessment  of  a  probability  or  a 
probability  distribution  to  describe,  for  example,  uncertainties  due  to  a  lack  of 
fundamental  knowledge  about  a  phenomenon  generally  requires  a  subjective 
input  to  interpret  the  evidence.  As  for  risk  attitudes  and  preferences  in  the 
face  of  trade-offs,  they  obviously  vary  among  individuals  and  there  is  in 
principle  nothing  right  or  wrong  about  a  particular  risk  attitude. 

Bad  judgment  can  occur  in  several  different  ways.  First,  the  humans 
and  organizations  may  simply  violate  the  laws  or  the  traditions  of  the 
profession  or  of  society  at  large  when  making  its  safety  decisions. 

Second,  the  humans  and  organizations  may  be  inconsistent  in  its  risk 
attitudes  across  a  spectrum  of  decisions  under  uncertainties  involving 
comparable  risks  in  different  parts  of  the  organization,  for  example,  financial 
risks  involved  in  technical  failures  versus  economic  risks  due  to  market 
fluctuations. 

Third,  the  humans  and  organizations  may  refuse  to  consider  relevant 
available  information  and  misestimate  the  risks  which  may  result  in  a 
decision  that  appears  risk  prone.  This  may  occur  due  to  information  problems 
such  as  inability  of  communicating  incomplete  information  and  resulting 
uncertainties;  or  it  may  be  due  to  a  "group  think"  phenomenon  where  the 
members  of  the  group  converge  in  their  opinions  because  they  simply  neglect 
dissonant  information. 

Errors  of  judgment  can  thus  be  analyzed  as  a  problem  of  divergence  be¬ 
tween  the  organization  and  the  individual  regarding: 

(1)  the  interpretation  of  data  (thus  their  assessments  of  risks  and 

uncertainties),  and 
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(2)  preferences  and  risk  attitudes  that  result  from  the  inherent 

behavioral  tendency  of  the  individual  and  the  organization’s  reward 

system. 

In  the  analysis  of  errors  of  judgment,  two  categories  are  defined  (Figure 
D.2):  bad  judgment  at  the  individual  level  (either  in  interpretation  of  in¬ 
formation  or  in  preferences),  and  good  individual  judgment  (given  the  con¬ 
straints  imposed  on  the  employee  and  his  own  risk  attitude)  leading  to  indi¬ 
vidual  decisions  that  go  against  the  interest  and  preferences  of  the  organi¬ 
zation  and  thus  appears  as  bad  judgment  at  the  corporate  level.  The  first 
category  (bad  judgment  at  the  individual  level)  is  divided  further  among: 
reckless  behavior,  wrong  learning  mechanisms,  refusal  to  believe  or  to  use 
available  information  about  uncertain  quantities,  and  misunderstanding  of 
goals  or  violation  of  the  organization's  rules. 

Errors  of  judgment  (as  well  as  gross  errors)  occur  at  different  rates  in 
the  different  subsystems  -according,  for  instance  to  the  uncertainties  involved. 
The  probabilities  of  detection  of  these  errors  vary  with  their  nature  and  their 
severity.  In  addition,  their  effect  on  the  probability  of  system  failure  also 
depends  on  their  nature  and  their  severity. 

The  relevant  parameters  for  the  analysis  of  the  platform  structure 
system  failures  are  thus  the  following: 

a)  The  global  base  rate  of  errors. 

b)  The  probability  that  an  error  occurs  in  a  specific  subsystem 
conditional  on  its  occurrence  in  the  system  as  a  whole.  It  is  assumed 
here  that,  as  a  first  approximation,  the  probability  that  errors  occur  in 
more  than  one  subsystem  is  negligible  compared  to  the  probability  of 
occurrence  in  only  one  of  them. 

c)  The  probability  of  different  types  of  errors  in  each  of  the  subsystems 
conditional  on  error  occurrence  in  that  subsystem.  The  analysis  of 
error  types  is  reduced  here  for  simplicity  to  gross  errors  (GE)  and 
errors  of  judgment  (EJ).  This  distinction  is  important  because 
reduction  of  their  probabilities  of  occurrence  relies  on  different  types  of 
management  improvement  measures. 

d)  The  probability  of  different  levels  of  error  severity.  For  simplicity,  only 
two  levels  of  severity  are  considered  here:  high  severity  (HS)  less 
frequent  but  more  easily  detectable,  and  low  severity  (LS)  more 
frequent  but  more  likely  to  pass  undetected  through  the  filters  of  the 
review  process.  When  undetected  or  uncorrected,  high-severity  errors 
are  more  likely  to  lead  to  system  failure  than  low- severity  errors. 
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Figure  D.3  -  Error  analysis  for  design  of  a  jacket-type 
offshore  platform 


Figure  D.3  shows  a  set  of  illustrative  values  for  a  jacket-type  offshore 
platform  (Figure  D.l).  The  overall  base  rate  of  design  errors  for  all  jacket-type 
structures  is  estimated  at  20%.  These  errors  are  further  allocated  among  the 
different  subsystems.  Errors  across  subsystems  may  well  occur.  This  can  be 
the  case,  for  example,  if  the  design  relies  on  a  bad  theory  of  the  waves  and  their 
annual  probabilities,  therefore  affecting  the  design  of  all  subsystems. 

The  simple  allocation  used  here  relies  on  a  "dominant  error"  concept, 
i.e.,  that  which  is  most  likely  to  cause  an  initiating  failure.  Errors  associated 
to  the  interface  between  the  deck  and  the  jacket  have  been  attributed  here  to  the 
jacket.  For  example,  the  deck  may  be  too  low  causing  the  jacket's  joints  to  be 
subjected  to  severe  wave  loads. 

Note  that  the  conditional  probability  of  gross  error  for  the  foundation  is 
0.2,  that  the  probability  of  error  of  judgment  is  0.8  and  that  these  probabilities 
are  reversed  for  the  deck.  This  assessment  is  based  on  the  knowledge  that 
there  are  more  uncertainties  and  more  subjectivity  in  the  design  of  the  founda¬ 
tion  than  in  the  design  of  the  deck.  The  design  of  foundations  that  are  located 
in  variable  and  inhomogeneous  soils  is  more  likely  to  rely  on  "judgement" 
than  the  design  of  the  deck. 

As  an  illustration,  the  conditional  probability  of  high-severity  vs  low- 
severity  error  was  chosen  to  be  0.2  (vs  0.8)  across  the  different  types  of  errors 
and  the  different  subsystems. 
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Detection  of  Design  Errors  by  Checking _ 

The  design  review  process  developed  in  thies  example  is  sequential.  The 
first  review  is  performed  by  the  lead  engineer,  typically  competent  and 
knowledgeable,  but  not  necessarily  someone  who  has  had  a  long  experience  in 
the  field.  He  is  thus  more  likely  to  detect  gross  errors  than  errors  of  judgment. 
Also,  high-severity  errors  are  more  visible  than  low-severity  ones  and  are 
therefore  more  likely  to  be  detected  at  all  stages  of  the  review.  If  he  detects  an 
error  (Signal  1),  it  is  assumed  that  the  correction  process  will  take  place  with  a 
rate  of  success  that  depends  on  the  nature  of  the  error:  a  gross  error  is  more 
likely  to  be  corrected  than  an  error  of  judgment  that  the  author  of  the  error 
may  seek  to  defend  even  if  it  is  detected. 

The  second  review  level  is  performed  by  the  engineering  manager, 
generally  a  person  of  experience  who  may  not  check  the  detail  of  all 
computations  but  will  detect  errors  of  judgment  more  easily  than  the  lead 
engineer  (Signal  2).  Finally,  the  constructor  may  detect  an  error  when 
actually  doing  the  work  on  the  field  (Signal  3).  At  this  late  stage  and  given  the 
constructor's  experience,  it  will  be  easier  to  detect  gross  errors  than  errors  of 
judgment  about  which  he  may  have  little  to  say. 

It  is  assumed  that  the  review  process  is  the  same  for  the  different 
subsystems  (foundation,  deck,  and  jacket)  although  the  details  of  the  procedure 
obviously  vary. 

Figure  D.4  shows  a  schematic  representation  of  the  probabilistic 
analysis  of  the  review  process  with  illustrative  numbers  corresponding  to  the 
case  of  gross  errors  of  high  severity  in  the  design  of  the  foundation.  The 
foundation  can  start  with  a  gross  error  (GE),  an  error  of  judgment  (EJ),  or  no 
initial  error  (NIE).  Errors  of  high  or  low  severity  can  be  detected  or  missed  by 
the  successive  reviewers.  It  is  assumed  that  following  corrective  action  (CA), 
the  system  is  returned  to  the  capacity  of  the  structure  had  no  error  occurred  in 
the  first  place. 

Table  D.l  presents  illustrative  numbers  for  the  probability  of  detection 
and  correction  of  design  errors  assuming  for  simplicity  that  the  review  process 
and  the  probabilities  of  signal  observation  are  the  same  for  the  different 
subsystems. 
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Figure  D.4  -  Probability  of  detection  of  errors  in  the  design 
of  foundations  (illustrative  valuesfor  Gross  Errors,  GE,  f 
High  Severity,  HS) 


Table  D.l  -  Probability  of  detection  and  correction  of  design  errors 
by  the  different  levels  of  review 


Type  of  Error 

Lead 

Engineer 

Engineering 

Manager 

Constructor 

Corrective 

Action 

GE,  HS 

0.45 

0.80 

0.70 

0.90 

GE,  LS 

0.20 

0.65 

0.40 

0.60 

EJ,  HS 

0.20 

0.50 

0.10 

0.60 

EJ,  LS 

0.05 

0.30 

0.01 

0.20 

*Probability  that  successful  correction  occurs  given  that  an  error  has  been 
detected  at  one  of  the  review  levels. 

GE:  Gross  Error;  EJ:  Error  of  Judgement; 

HS:  High  Severity;  LS  Low  Severity 


In  this  model,  the  probability  that  corrective  action  actually  occurs 
conditional  on  error  detection  does  not  depend  on  who  discovered  the  error  but 
on  its  nature  and  degree  of  severity.  The  probability  of  successful  corrective 
action  conditional  on  an  error  of  judgment  of  low  severity  has  been  assumed  to 
be  low  because  it  is  more  difficult  in  this  case  to  argue  in  favor  of  slowing  down 
for  correction.  If  a  corrective  action  is  successful,  it  is  assumed  that  the 
system  is  back  to  a  no-error  state.  If  it  is  not  successful,  it  is  assumed  that  the 
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status  quo  prevails  and  that  the  system  is  neither  stronger  nor  weaker  than  if 
the  error  had  not  been  observed  at  all. 

At  the  beginning  of  the  review  process,  the  system  can  be  in  three 
different  states:  no  initial  error  (NIE),  low-severity  initial  error  (LIE),  or  high- 
severity  initial  error  (HIE).  At  the  end  of  the  process,  there  may  be  no  final  de¬ 
sign  error  (NDE)  (either  because  there  was  no  error  in  the  first  place,  or  be¬ 
cause  initial  errors  were  detected  and  corrected),  undetected  design  error  of 
high  severity  (HDE),  or  undetected  design  error  of  low  severity  (LDE). 

No  distinction  is  made  here  among  errors  of  the  same  severity 
regarding  their  nature  (GE  or  EJ)  because  it  is  assumed  that  this 
characteristic  does  not  influence  the  probability  of  failure.  The  different  levels 
of  errors  in  the  final  states  are  the  result  of  the  logical  analysis  of  the  sequence 
of  errors  occurrence,  detection,  and  correction. 

The  occurrences  of  NDE,  LDE,  and  HDE  can  be  written: 

NDE  =  NIE  +  EJ  x  observation  x  correction  +  GE  x  observation  x 
correction  (D.3) 

LDE  =  GE  x  LIE  x  (no  observation  +  observation  x  no  correction)  +  E  J  x 
LIE  x  (no  observation  +  observation  x  no  correction)  (D.4) 

HDE  =  GE  x  HIE  x  (no  observation  +  observation  x  no  correction)  +  EJ  x 
HIE  x  (no  observation  +  observation  x  no  correction)  (D.5) 

Observation  =  SI  +  (NS1  x  S2)  +  (NS1  x  NS2  x  S3)  (D.6) 

Given  the  data  described  above,  this  implies  for  the  foundation  the 
following  distribution  for  the  final  error  states: 

p(NDE)  =  0.9220 
p(LDE)  =  0.0676 
p(HDE)  =  0.0104 

Note  that,  in  relative  terms,  the  review  process  increases  little  the 
probability  of  no  design  error  (from  0.9  to  0.922)  but  decreases  considerably  the 
relative  rate  of  high-  severity  errors  (from  0.02  to  0.01). 


311 


Role  of  Human  Error  In  Reliability  of  Marine  Structures 

Probability  of  Structural  Failure  Due  to  Design  Errors 


The  effect  of  the  error  detection  and  correction  process  is  a  variation  in 
the  capacity  of  the  system  to  withstand  loads  such  as  waves. 


Failure  of  the  Foundation 

Focusing  for  the  moment  on  the  possibility  of  failure  of  the  foundation 
(O),  assume  the  following  annual  failure  probabilities  for  each  of  the  final  sys¬ 
tem  states: 

p(0  I  NDE)  =  3.5  x  10'5 

p(0  I  LDE)  =  3.5  x  10-4 

p(0  I  HDE)  =  3.5  x  lO-2 

Failure  of  the  foundation  given  no  final  design  error  corresponds  either 
to  errors  in  other  project  phases  (construction  or  operations)  or  to  inherent 
randomness  in  the  occurrence  of  the  loads.  The  former  is  the  most  frequent 
case  as  shown  below.  The  latter  represents  the  rare  instances  where  the 
external  loads  exceed  the  design  level  (and  implicit  safety  margins)  that  had 
been  chosen  in  the  first  place. 

Generally  defining  as  S  the  level  of  error  severity,  fg(s)  its  probability 
density  function,  and  p(0  I  s)  the  conditional  probability  of  failure  of  the  foun¬ 
dation  given  an  error  level  s,  the  probability  of  foundation  failure  can  be 
written: 

p(O)  =  J  fg(s)  x  p(0  I  s)  ds  (D.7) 

In  the  simple  case  of  three  error  levels  considered  here,  the  probability  of 
foundation  failure  is: 

p(O)  =  p(0,  NDE)  +  p(0,  LDE)  +  p(0,  HDE)  (D.8) 

p(0)=  p(NDE)  x  p(0  I  NDE)  +  p(LDE)  x  p(0  I  LDE) 

+  p(HDE)  x  p(0  I  HDE)  (D.9) 

Given  the  probabilities  of  final  error  states  computed  above  (e.g., 
undetected  low-severity  design  error)  and  the  failure  probabilities  in  each  case, 
the  annual  probability  of  failure  for  the  foundation  is  thus: 

p(O)  =  p(0  I  NDE)  x  p(NDE)  +  p(0  I  LDE)  x  p(LDE) 

+  p(0  I  HDE)  x  p(HDE)  (D.10) 


Thus, 
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p(0)=  0.9220  x  3.5  x  105  +  0.0676  x  3.5  x  10-4  +  0.0104  x  3.5  x  10’2 
and,  p(0)=  4.2  x  10-4. 

Of  this  total  foundation  failure  probability  per  year,  86%  are  attributable 
to  undetected  design  errors  of  high  severity,  6%  to  undetected  design  errors  of 
low  severity,  and  8%  to  no  design  error  situations.  Although  high-severity 
errors  are  rare,  the  resulting  probability  of  foundation  failure  is  large,  hence 
their  high  contribution  to  the  overall  failure  probability  for  the  foundation. 

As  it  will  become  clear  in  the  second  phase  of  the  computations 
(cumulation  of  errors),  this  is  due  to  the  fact  that  design  errors  were  found  to 
be  a  major  source  of  foundation  failures,  whereas  construction  errors  are  less 
critical  and  operation  errors  are  still  less  likely  to  affect  the  foundation. 


Failure  of  the  Jacket 

The  only  change  in  the  data  with  respect  to  the  previous  computations 
are  assumed  to  be  the  overall  probability  of  occurrence  and  the  rates  of  gross 
errors  (50%)  and  errors  of  judgment  (50%)  given  design  error  for  the  jacket. 
Conditional  observation  of  signals  and  effectiveness  of  corrective  actions  are 
assumed  to  be  the  same. 

On  the  basis  of  these  data,  the  probabilities  of  the  different  states  of  the 
jacket  at  the  end  of  the  review  process  are  the  following: 

p(NDE)=  0.9547  (from  0.93  initial  no  error  rate) 
p(LDE)  =  0.0401  (from  0.056) 

p(HDE)  =  0.0052  (from  0.014) 


Again,  in  the  case  of  the  jacket,  the  design  review  process  increases 
little  the  probability  of  no  design  error  and  mainly  reduces  the  probability  of 
high-severity  errors.  The  probability  of  failure  of  the  jacket  conditional  on 
different  structural  states  (due  to  the  occurrence  of  design  errors)  can  be  the 
result  of  a  detailed  PRA  taking  into  account  the  specific  types  of  errors  and 
their  effect  on  the  structure,  as  well  as  the  loads'  distribution.  Estimates  of 
these  probabilities  are  the  following: 

p(A  I  NDE)  =  3  x  10-4 
p(A  I  LDE)  =  5  x  10-3 
p(A  I  HDE)  =  2  x  10-2 

The  total  annual  probability  of  failure  of  the  jacket  is  then: 

p(A)  =  p(A  I  NDE)  x  p(NDE)  +  p(A  I  LDE)  x  p(LDE) 

+  p(A  I  HDE)  x  p(HDE)  (D.ll) 

p(A)=  (3xl0-4  x  0.9547)  +  (5  x  10'3  x  4.106  x  10'2)  +  (2  x  10'2  x  5.22  x  10’3) 
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p(A)=  6.06  x  10-4 

Accounting  for  all  possible  states  of  the  structure  resulting  from  the 
occurrence  of  errors,  the  probability  of  failure  of  the  jacket  itself  is  about  6  x  10- 
4  of  which  47%  can  be  attributable  to  situations  in  which  there  was  no  error  in 
the  final  design,  33%  to  undetected  low-severity  design  errors,  and  20%  to 
undetected  high-severity  design  errors.  The  contribution  of  the  no-design- 
error  scenario  to  the  overall  probability  of  failure  is  much  larger  than  for  the 
foundation  because,  as  it  is  shown  later  in  this  paper,  the  jacket  is  also 
vulnerable  to  construction  errors  and,  to  a  smaller  extent,  to  operations  errors 
which  contribute  a  large  part  of  the  overall  failure  probability  without 
necessarily  involving  design  errors. 


Failure  of  the  Deck 

In  the  case  of  failure  of  the  deck  component,  the  same  method  is  applied. 
The  main  changes  are  the  base  rate  (3%)  and  the  rate  of  gross  errors  (80%)  as 
opposed  to  errors  of  judgment  (20%).  Given  the  high  rate  of  more  easily 
detectable  gross  errors  in  the  design,  the  probability  of  undetected  errors  is 
smaller  than  for  the  rest  of  the  platform. 

Given  that  only  3%  of  the  platforms  are  assumed  to  experience  any  error 
in  the  initial  deck  design,  the  probability  distribution  obtained  through  the 
model  for  the  different  states  of  the  deck  after  review  of  the  design  is  the  fol¬ 
lowing: 

p(NDE)  =  0.9845  (from  0.97  before  the  review  process) 
p(LDE)  =  0.0141  (from  0.024) 

p(HDE)  =  0.0014  (from  0.006) 

The  probability  of  failure  of  the  deck  depends  in  large  part  on  the  occur¬ 
rence  of  external  events  such  as  fires  and  blowouts  that  are  not  as  dependent  of 
the  deck  design  (in  occurrence  and  consequences)  as  the  effects  of  external 
loads  on  other  subsystems.  It  is  thus  less  sensitive  to  errors  in  the  structural 
design  than  the  jacket  or  the  foundation  that  are  subjected  regularly  to  wave 
loads.  The  annual  probability  of  failure  of  the  deck  conditional  on  the  different 
states  corresponding  to  the  levels  of  severity  of  design  errors  are  estimated  to  be 
the  following: 

p(E  I  NDE)  =  10-3 
p(E  I  LDE)  =  3  x  lO-3 
p(E  I  HDE)  =  10-2 

The  overall  annual  probability  of  failure  of  the  deck  is  thus: 

p(E)  =  p(E  I  NDE)  x  p(NDE)  +  p(E  I  LDE)  x  p(LDE) 

+  p(E  I  HDE)xp(HDE)  (D.12) 
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=  (lO-3  x  0.9845)  +  (3  x  10'3  x  1.41xl0-2)  +  (10-2  x  1.4x10-3) 

=  9.8  x  10-4  +  5.16  x  10-5  +  2.24  x  10'5 
=  1.05  x  10-3 

The  probability  of  failure  of  the  deck,  which  is  about  lO-3,  is  thus  the 
dominant  element  of  the  overall  failure  probability  for  the  platform.  The  per¬ 
centage  of  failures  that  occur  without  design  errors  (but  may  be  caused  by 
other  types  of  errors  and  external  events  due  to  production  activity  on  the  deck) 
represent  93%  of  the  overall  failure  probability;  low-severity  and  high-severity 
errors  in  the  final  design  account  only  respectively  for  5%  and  2%  of  the 
probability  of  failure  of  the  deck. 

The  results  are  presented  in  Table  D.2.  They  show  the  contribution  of 
each  of  the  subsystems  to  the  overall  failure  probability,  and  also  the 
contribution  of  the  types  of  error  given  their  nature  and  their  severity.  Further 
analysis  of  the  different  types  of  organizational  errors  can  then  be  used  to 
compute  the  reduction  in  the  global  failure  probability  that  can  be  expected 
from  the  reduction  of  the  rate  of  errors  of  different  types. 


Table  D.2  -  Annual  probability  of  failure  of  an  offshore  platform  for 
contribution  of  gross  errors  and  errors  of  judgement  in  the  design  phase 


Gross  Er. 
Er.  of  Judg. 


Gross  Er. 
Er.  of  Judg. 


Fniindatirms 

Tflrkp.t 

Deck 

Whole  structure 

Failure  Prob. 

Percentage 

3.6  x  10-4 

10-4 

2.2  x  10-5 

4.8  x  10-4 

25% 

7.2  x  10-5 

5  x  10-5 

1.8  x  10-5 

1.4  x  10-4 

7% 

2.9  x  10-4 

5  x  10-5 

4.4  x  10-6 

3.4  x  10-4 

18% 

2.4  x  10-5 

2  x  10-4 

5.2  x  10-5 

2.9  x  10-4 

15% 

4.8  x  10-6 

10-4 

4.2  x  10-5 

1.5  x  10-4 

8% 

1.9  x  10-5 

10-4 

10-5 

1.3  x  10-4 

7% 

3.2  x  10-5 

2.9  x  10-4 

9.8  x  10-4 

1.3  x  10-3 

60% 

GE:  15% 

4.1  x  10-4 

6.1  x  10-4 

10-3 

2.2  x  10-3 

EJ:  25% 

NE:  60% 
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Errors  in  Design,  Construction,  and  Operations 


Historical  analysis  of  failures  shows  that  failures  often  occur  when 
several  errors  contribute  to  weakening  a  platform.  In  cases  where  no  design 
error  has  occurred,  errors  in  construction  or  operations  phases  can  cause  a 
platform  failure.  The  following  analysis  allows  extension  of  the  previous  com¬ 
putations  to  include  not  only  design  errors  but  also  construction  and  opera¬ 
tions  errors. 

Note  that  the  probabilities  computed  so  far  include  implicitly  the 
possibility  of  additional  errors  in  the  estimate  ofp(F)  conditional  on  the 
different  levels  of  design  error.  In  this  section,  the  cumulation  is  considered 
explicitly.  The  annual  probabilities  of  construction  and  operation  errors  are 
assumed  to  be  the  results  of  a  process  analysis  similar  to  the  one  developed  in 
the  previous  sections  for  design  errors.  The  results  are  the  probabilities  of  er¬ 
rors  of  different  severity  levels  in  the  different  phases.  It  is  assumed  here  that 
design  errors,  construction  errors,  and  operation  errors  are  independent 
among  themselves  and  independent  across  subsystems. 

For  illustrative  purposes,  the  distributions  of  undetected/uncorrected 
construction  errors  for  each  of  the  subsystems  were  assumed  to  be  similar  to 
those  of  design  errors. 

Construction  errors  in  the  foundation: 

•  No  Error  (NCE):  p0(NCE)  =  0.9220 

•  Low  severity  (LCE):  pq(LCE)  =  0.0676 

•  High  severity  (HCE):  pq(HCE)  =  0.0104 

Construction  errors  in  the  jacket: 

•  pA(NCE)  =  0.9547 

•  pA(LCE)  =  0.0401 

•  pa(HCE)  =  0.0052 

Construction  errors  in  the  deck: 

•  pE(NCE)  =  0.9845 

•  pE(LCE)  =  0.0141 

•  pE(HCE)  =  0.0014 

The  annual  distribution  for  operations  errors  is  assumed  to  be  the  same 
for  the  three  subsystems  and  was  estimated  as  follows: 

•  No  error  (NOE):  p(NOE)  =  0.85 

•  Low  severity  (LOE):  p(LOE)  =  0.10 

•  High  Severity  (HOE):  p(HOE)  =  0.05 
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Effects  of  Error  Culmination 


The  probabilities  of  failure  of  the  different  subsystems  (foundation, 
jacket,  and  deck)  are  entered  in  this  model  as  conditional  probabilities  given 
the  possible  combinations  of  errors  of  different  types  (ex:  construction)  and  dif¬ 
ferent  severity  levels  (ex:  high  severity).  These  probabilities  of  failure  are 
treated  here  as  data  based  on  expert  opinions. 

These  failure  probabilities  for  each  scenario  of  error  combination  can 
also  be  obtained  as  the  results  of  detailed  PRAs,  in  which  the  nature  of  the  dif¬ 
ferent  types  of  errors  are  specified,  and  the  couplings  of  their  effects  are  ex¬ 
plicitly  considered  in  the  computation  of  the  failure  probability. 

The  conditional  probabilities  of  failure  for  each  subsystem  X  given  a 
particular  level  of  design  error  (DE)  is  the  sum  for  all  severity  levels  of 
construction  errors  (CE)  and  operations  errors  (OE)  of  the  joint  probability  of 
failure  and  errors  divided  by  the  probability  of  the  design  error  after  the  review 
and  correction  process  has  taken  place.  Because  the  occurrence  of  errors  of 
different  types  are  assumed  to  be  independent  events,  the  joint  probability  of 


errors  is  the  product  of  their  marginal  probabilities. 

p(X  I  DE)  =  p(X,  DE)  /  p(DE)  (D.13) 

=  [2  X  P(X,  DE,  CE,  OE)]  /  p(DE)  (D.14) 

CE  OE 

=  [X  X  P(X  I  DE,  CE,  OE)  p  (DE,  CE,  OE)]  /  p(DE)  (D.15) 
CE  OE 

=  £  £  [p(X  I  DE,  CE,  OE)  p(CE)  p(OE)]  (D.16) 

CE  OE 


The  assembly  model  (from  initial  errors  to  review,  correction,  and  final 
error  levels  in  design,  construction,  and  operations)  is  an  ETA  that  is 
described  and  processed  here  as  an  IDA.  One  IDA  was  developed  for  each  of 
the  subsystems.  Figure  D.5  shows  a  global  IDA  for  the  foundation. 
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Figure  D.5  -  IDA  for  the  design,  construction,  and  operation  life-cycle  phses  of 
the  foundation 


The  severity  that  characterizes  a  cumulation  of  errors  is  taken  as  the 
highest  severity  level  in  the  error  combination:  for  instance,  a  situation  such 
as  {no  design  error,  high-severity  construction  error,  no  operation  error}  is 
classified  in  the  end  as  a  high-severity  error  situation.  The  results  of  the 
analysis  include  first  a  probability  distribution  for  the  failure/no  failure  sit¬ 
uations  allocated  among  the  different  levels  of  dominant  errors  (square  box) 
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and  second,  the  joint  distribution  of  failure  states  and  error  severities  for  each 
phase  of  the  platform  lifetime  (design,  construction,  and  operation)  shown  on 
the  influence  diagram  in  the  oval  double  boxes. 

i 

Table  D.3  summarizes  the  final  results  allocated  among  subsystems 
(e.g.  jacket)  and  severity  of  the  dominant  error  in  each  combination  (e.g.,  high- 
severity  construction  error  in  the  scenario:  LDE,  HCE,  NOE).  Note  that  the 
percentages  shown  in  Table  D.3  reflect  the  contribution  of  the  dominant  error 
alone.  Yet,  low-severity  errors  can  act  as  "catalysts"  in  such  scenarios  be¬ 
cause  they  worsen  the  effect  of  a  concurrent  high-severity  error.  Their  con¬ 
tribution  to  the  overall  failure  probability  (17%)  is  thus  underestimated  by  this 
method. 


Table  D.3  -  Probability  of  failure  of  example  platform  with  cumulation  of  errors 

in  design,  construction,  and  operations 


Subsystem 

o 

Fdn. 

E 

Deck 

Whole 

Structure 

Percent 
of  Total 

HS 

mn^ 

79% 

LS 

i^ 

17% 

NE 

||jgg|gg 

iiiiiiigi 

4% 

Total 

4.1  x  10-4 

6.1  x  1(H 

1.0  x  10-3 

2.0x10-3 

100% 

HS:  High  Severity  Errors;  LS:  Low  Severity  Errors;  NE:  No  Errors 


The  annual  probability  of  failure  can  no  longer  be  attributed  in  a  simple 
manner  among  design,  construction,  or  operations  since  all  combinations  are 
assumed  possible  and  each  type  contributes  to  the  overall  failure  probability. 

In  particular,  errors  of  different  types  but  of  the  same  severity  may  be 
dominant  in  the  same  combination  (e.g.,  high  severity  construction  error  and 
high  severity  operations  error).  Note  that  the  probability  of  failure  and  no  error 
has  considerably  decreased  compared  to  the  previous  analysis  of  failures  due 
to  design  errors  alone  because  it  means,  in  this  phase  of  the  computations, 
that  no  error  occurred  at  all  neither  in  design,  nor  construction,  nor 
operations  (as  opposed  to  no  error  in  design  alone). 

The  results  also  include  the  joint  probability  of  failure  for  each  of  the 
subsystems  and  a  given  level  of  error  of  each  type  (design,  construction,  opera¬ 
tions)  as  well  as  the  corresponding  conditional  probabilities  of  failure  given  a 
particular  level  and  type  of  error.  For  each  type  of  error,  these  results  show 
the  corresponding  allocation  of  the  subsystems'  annual  failure  probability 
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among  the  different  levels  of  error  severity  for  each  error  type.  The  spread  of 
the  conditional  distribution  characterizes  the  sensitivity  of  the  system  to  errors 
of  the  corresponding  type. 

For  the  foundation,  design  errors  are  the  most  critical,  and  high- 
severity  design  errors  clearly  dominate  the  joint  distribution.  The  conditional 
distribution  of  failure  given  error  severity  shows  a  wide  spread  (three  orders  of 
magnitude)  and  a  large  increase  (two  orders  of  magnitude)  between  effects  of 
low-  and  high-severity  errors.  Construction  errors  are  less  critical,  with  a 
joint  distribution  (failure  and  errors'  severity)  dominated  by  "failure  and  low- 
severity  errors". 

Note  that  this  is  one  of  the  cases  where  low-severity  errors  become  domi¬ 
nant  because  they  are  more  frequent  than  the  high-  severity  ones  but  decrease 
the  system's  capacity  sufficiently  to  make  operations  errors  more  dangerous 
and  external  events  (e.g.,  blowouts)  more  damaging.  Finally,  in  general, 
operations  errors  are  not  very  critical:  failure  and  no  operations  error 
dominates  the  joint  distribution  (failure  and  severity  of  errors).  Accordingly, 
the  conditional  probability  of  failure  given  operations  error  levels  is  tight  and 
ranges  over  less  than  one  order  of  magnitude. 

For  the  jacket,  design  and  construction  errors  are  equally  critical  with 
conditional  distributions  spread  over  two  orders  of  magnitude  between  failure 
given  no  error  and  failure  given  high-severity  errors.  Operations  errors  are 
less  critical  although  they  affect  the  jacket  a  little  more  than  the  foundation 
(over  one  order  of  magnitude  in  the  range  of  conditional  failure  probability). 

For  the  deck,  operations  errors  are  the  most  critical,  with  failure  given 
no  error  on  the  order  of  10  5  and  failure  given  high-severity  errors  on  the  order 
of  10'2.  In  the  joint  distribution  of  failure  and  errors  of  different  levels  of 
severity,  the  dominant  term  is  due  to  high-severity  errors  (8xl0~4)  with  a  non 
negligible  contribution  of  failures  and  low-  severity  errors.  Design  and 
construction  are  less  critical  but  still  affect  the  deck  to  the  extent  that  they 
amplify  the  effects  of  operations  errors  (e.g.,  poor  design  against  fire)  or  that 
they  make  the  deck  more  susceptible  to  high  levels  of  wave  loads. 

Note  that  the  results  are  annual  probabilities  of  failure.  For  operations 
errors,  it  is  assumed  that  the  rates  of  errors  and  their  effects  on  the  platform 
remain  invariant.  In  design  and  construction,  errors  occur  once  and  for  all. 

It  is  assumed  here  that  the  annual  failure  probability  does  not  vary  given  the 
occurrence  of  errors  of  different  severity  levels.  In  fact,  this  may  not  be  the 
case:  if  failure  has  not  occurred  at  any  given  year,  it  may  be  that  the  probability 
that  it  occurs  the  following  year  decreases. 
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Appendix  D 


Example;  Analysis  of  Platform  Design 


Results  of  Improvement  in  Design  Review 


Improvement  in  the  design  review  process  can  be  achieved  by  the 
intervention  of  a  certified  verifying  authority.  A  high-quality  verification 
process  could  modify  the  probabilities  of  undetected  gross  errors  and 
judgmental  errors,  of  low  and  high  severity,  in  the  foundations,  the  jacket,  and 
the  deck. 

Table  D.4  summarizes  the  variations  of  design  error  probabilities  with 
improvements  of  the  review  process.  The  following  estimates  reflect  the  possi¬ 
ble  reductions  in  probabilities  of  failure  of  the  platform  components  that  can  be 
achieved  by  an  improvement  of  the  review  process: 

p’  (O)  =  0.96  x  3.5  x  lO-5  +  0.035  x  3.5  x  1(H  +  0.005  x  3.5  x  102 
=  2.21xl0-4  (from  p(0)  =  4.2xl0-4) 

p'(A)  =  0.97  x  3  x  10-4  +  0.028  x  5  x  10'3  +  0.002  x  2  x  102 
=  4.71  x  10-4  (from  p(A)  =  6.06  x  1(H) 

p'(E)  =  0.99  x  lO-3  +  0.009  x  3  x  103  +  0.001  x  102 
=  1.027  x  10-3  (from  p(E)  =  1.05  x  103) 

p'(F)  =  2.21  x  lO  4  +  4.71  x  10-4  +  1.027  x  lO"3 
=  1.72  x  lO  3  (from  p(F)  =  2.2  x  10'3) 

Note  that  this  improvement  of  the  review  process  reduces  mostly  the 
probability  of  failure  of  the  foundation  (approximately  by  a  factor  of  two),  to 
some  extent  the  probability  of  failure  of  the  jacket  (by  about  twenty  percent), 
and  reduces  little  the  probability  of  failure  of  the  deck  that  is  more  susceptible 
to  operations  errors  than  design  errors.  Because  the  major  contributor  to  the 
platform  failure  is  the  deck,  the  reduction  of  the  overall  failure  probability  is 
only  22%.  If  in  addition  to  correcting  errors  in  design,  the  design  of  the  deck  is 
also  modified  to  decrease  the  consequences  of  operations  errors  (for  example, 
preventing  fire  propagation),  major  gains  can  be  achieved  by  design  changes 
alone. 
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Bole  of  Human  Error  In  Reliability  of  Marine  Structures 


Table  D.4  -  Estimated  variations  of  design  error  probabilities 
with  improvements  of  the  review  process 


Subsystem 

Errors  v 

Foundation 

From  To 

Jacket 

From 

To 

Deck 

From 

To 

No  Error 

0.922 

0.96 

0.955 

0.97 

0.9845 

0.99 

Low  Severity 

0.0672 

0.035 

0.041 

0.028 

0.0141 

0.009 

High  Severity 

0.0104 

0.005 

0.0052 

0.002 

0.0014 

0.001 
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